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APPEAL BRIEF UNDER 37 CF.R S 41.37 

Mail Stop Appeal Brief-Patents 
Commissioner for Patents 
PO Box 1450 

Alexandria, VA 22313-1450 
Sir: 

Pursuant to the Appellant's earlier filed Notice of Appeal on October 23, 2006, Appellant 
hereby appeals to the Board of Patent Appeals and Interferences from the final rejection mailed 
June 22, 2006. Appellant submits this Appeal Brief along with the filing fee of $500.00 set forth 
in 37 CF.R. §41 .20(b)(2). 

Also enclosed is a Claims Appendix in compliance with 37 CF.R. § 41 .37(c)(1)(viii) and 
an Evidence Appendix in compliance with 37 CF.R. § 41.37(c)(1)(ix) includes references of 
record and discussed in the Appeal Brief below. A Related Proceedings Appendix in 
compliance with 37 CF.R. § 41 .37(c)(1)(x) is enclosed and indicated as being NONE. 

L Real Party in Interest 

Pursuant to 37 CF.R. §41.37(c)(1)(i), due to the assignment executed on July 27, 2001 

by the inventors Hyun-kwon CHUNG and Jung-kwon HEO and recorded in the United States 
Patent and Trademark Office at Reel 012262, Frame 0320, the real party in interest is as 
follows" 
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Samsung Electronics Co., Ltd. 
416, Maetan-dong, Paldal-gu, 
Suwon-city, Kyungki-do 
Republic of Korea 

II. Related Appeals and Interferences 

Pursuant to 37 C.F.R. §41.37(c)(1)(ii), although the real party in interest has other 

appeals and interferences, there is only one other pending appeal and interference believed to 
directly affect or be directly affected by, or have any bearing upon the decision of the Board of 
Patent Appeals and Interferences in this appeal. The related appeal is for U.S. patent 
application no. 10/995,295. No decision on this appeal has been made at this time. 

III. Status of Claims 

Pursuant to 37 C.F.R. §41 .37(c)(1 )(iii), claims 45 through 51 , 53 through 60, and 62 

through 71 are pending in this application at the filing of this Appeal Brief. Claims 45 through 51 , 
53 through 60, and 62 through 71 stand finally rejected. Claims 45, 51, and 59 are independent 
claims, and claims 46 through 50, 53 through 58, 60, and 62 through 71 are dependent claims. 

In view of the final Office Action mailed June 22, 2006 as supplemented in the Advisory 
Action of October 17, 2006, claims 45 through 51 , 53 through 60, and 62 through 71 stand finally 
rejected. This Appeal Brief is an appeal of the finally rejected claims 45 through 51 , 53 through 
60, and 62 through 71. 

IV. Status of Amendments 

Pursuant to 37 C.F.R. §41.37(c)(1)(iv), no amendments have been filed since the final 

Office Action of June 22, 2006. Pursuant to 37 C.F.R. §41 .37(c)(viii), a copy of the claims 
involved in the appeal is included in their present condition is included in the Claims Appendix. 

V. Summary of the Claimed Subject Matter 

Pursuant to 37 C.F.R. §41.37(c)(v), aspects of the present invention are directed to a 

method of providing additional contents related to predetermined contents. A reading apparatus 
10 reads an identifier, such as an International Standard Recording Code (ISRC), from an 
optical disc 1 in operation 401 . The optical disc 1 has contents associated with additional 



SERIAL NO. 09/903,630 DOCKET NO. 1293.1225 

contents stored on a rennote server 102 of a server system 100. The contents can be audio 
contents or video contents, and the additional information can be words of songs, personal 
information items of singers, recent activities, and/or other like songs. An identification 
generator 1 1 transmits the identifier to a controller 12, and a browser 14 stores the transmitted 
identifier in a Cookie file in operation 402. (Paragraphs 0003, 0004, 0032, and 0040; FIGs. 1 
and 4). While not limited to this example, this example corresponds more broadly to "a 
reproduction apparatus for reproducing contents, comprising: an identifier provider for providing 
an identifier of the contents" and "a controller for storing the contents identifier provided by the 
identifier provider as a Cookie file" as recited in claim 45; and an "information storage medium 
for use with a recording and/or reproducing apparatus and comprising a Cookie program which 
implements a method of generating a Cookie file used by the apparatus, the method comprising: 
detecting an identifier of predetermined contents" and "preparing and storing the detected 
contents identifier in the Cookie file ...," "wherein the contents identifier is an international 
standard recording code (ISRC) read from a recording medium" as recited in claim 59. 

When a request for the additional information is made in operation 404, the browser 14 
is called and connects to the server system 100 through a network connector 13 in operation 
405. Once connected, the browser 14 retrieves the stored Cookie file from a memory, and 
provides the Cookie file including the identifier to the server 102 in operation 406. The server 
102 provides in operation 407 the additional information determined by the server 100 to be 
associated with the contents according to the identifier in the transmitted Cookie file. The 
received additional contents are reproduced in operation 408. (Paragraphs 0035, 0036, 0040, 
and 0041; FIG. 4). While not limited to this example, this process corresponds more broadly to 
"a network connector" and "a controller for ... transmitting the stored contents identifier through 
the network connector to a server system, which provides additional information related to the 
contents through the network connector, and receiving through the network connector the 
additional information provided from the server system after the stored contents identifier was 
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transmitted" as recited in claim 45; and an "information storage medium for use with a recording 
and/or reproducing apparatus and comprising a Cookie program which implements a method of 
generating a Cookie file used by the apparatus, the method comprising:" "preparing and storing 
the detected contents identifier in the Cookie file for use in a subsequent transmission by the 
apparatus to a server system providing additional information related to the predetermined 
contents through a network connector of the apparatus in response to the sent Cookie file" as 
recited in claim 59. 

From the perspective of the server system 100, the server 102 connects to the browser 
14 through a network connector 13 of a reading apparatus 10. In operation 502, the server 502 
requests the identifier from the browser 14 and receives the Cookie file with the identifier The 
identifier is read from an optical disc 1 in operation 401, and browser 14 stored the transmitted 
identifier in a Cookie file in operation 402. The server 102 extracts the additional information 
from an additional information database 101 according to the identifier in the received the 
Cookie file in operation 503, and transmits the additional information in operation 504. 
(Paragraphs 0003, 0004, 0032, 0034-0036, 0040, and 0043; FIGs. 1 , 4 and 5). While not limited 
to this example, this example corresponds more broadly to "a server system providing additional 
information items, comprising: an additional information database which stores additional 
information items related to a plurality of contents" and "a server for receiving a file including an 
identifier of predetermined contents from a reproduction apparatus for reproducing the contents, 
the file being prepared by and stored by a browser on the reproduction apparatus prior to 
transmission to the server, retrieving one of the additional information items related to the 
contents identifier from the additional information data base according to the received file, and 
transmitting the retrieved one additional information item to the reproduction apparatus," "where 
"the contents identifier is recorded in at least one recording medium on which the contents are 
recorded" as recited in claim 51 . 
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VL Grounds of Rejection to be Reviewed 

As per 37 CFR 41 .37(c)(1)(vi), the following is a concise statement of each ground of 

appeal. 

1 . Whether claims 45-51 , 53-60, and 62-71 are patentable under 35 U.S.C. §103 in 
view of Meyer et al. (U.S. Patent No. 6,829,368) and Montulli (U.S. Patent No. 
5,744,670). 

VII. Argument 

1. Claims 45-51, 53-60, and 62-71 are patentably distinguishable over Meyer et 
al. and Montulli 

In general, in order to reject a claim under 35 U.S.C. §103, a combination of references 
must be provided which discloses each element of the claim in the manner recited in the claim. 
In interpreting the reference, the Examiner is to broadly interpret the claim, but must do so within 
the bounds of reason. In re Morris , 127 F.3d 1048, 1053-55;44 U.S.P.Q.2d 1023, 1027-28 (Fed. 
Cir. 1997). Thus, while the Examiner is to avoid reading limitations from the specification into 
the claims, the Examiner should not interpret claim limitations so broadly as to contradict or 
otherwise render a limitation meaningless as would be understood by those of ordinary skill in 
the art. See, In re Cortright . 165 F.3d 1353, 1357-58; 49 U.S.P.Q.2d 1464, 1467 (Fed. Cir. 
1999), In re Zletz . 893 F.2d 319, 321-22; 13 U.S.P.Q.2d 1320, 1322 (Fed. Cir. 1989). 

Additionally, where the Examiner is relying on a feature as being inherently disclosed in a 
reference, it is incumbent on the Examiner to provide evidence that such a feature both 
necessarily exists in the reference, and exists in a manner which is the same as presented in the 
claims. As noted by the Federal Circuit in In re Robertson . 169 F.3d 743, 745; 49 U.S.P.Q.2d 
1949, 1950-51 (Fed. Cir. 1999), to "establish inherency, the extrinsic evidence 'must make clear 
that the missing descriptive matter is necessarily present in the thing described in the reference, 
and that it would be so recognized by persons of ordinary skill.' Continental Can Co. v. 
Monsanto Co. , 948 F.2d 1264, 1268, 20 U.S.P.Q.2d 1746, 1749 (Fed. Cir. 1991). 'Inherency, 
however, may not be established by probabilities or possibilities. The mere fact that a certain 
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thing may result from a given set of circumstances is not sufficient." Id. at 1269, 20 U.S.P.Q.2d 
at 1749 (quoting In re Oelrich, 666 F.26 578, 581, 212 U.S.P.Q. 323, 326 (C.C.PA 1981)." 

Further, in order to establish a prima facie obviousness rejection, the Examiner needs to 
provide both the existence of individual elements corresponding to the recited limitations, and a 
motivation to combine the individual elements in order to create the recited invention. The 
Examiner is further required to evaluate the record as a whole, and to account for contrary 
teachings existing in the record. In re Young . 927 F.2d 588; 18 U.S.P.Q. 2d 1089 (Fed. Cir. 
1991) cited by MPEP 2143.01. Should the Examiner fail to provide evidence that either one of 
the individual elements or the motivation does not exist in the prior art, then the Examiner has 
not provided sufficient evidence to maintain a prima facie obviousness rejection of the claim, in 
re Kotzab . 217 F.3d 1365; 55 U.S.P.Q.2d 1313 (Fed. Cir. 2000). Thus, the burden is initially on 
the Examiner to provide particular evidence as to why one of ordinary skill in the art would have 
been motivated to combine the individual elements to create the recited invention, and to 
demonstrate that this evidence existed in the prior art. In re Zurko , 258 F.3d 1379; 59 
U.SP.Q.2d 1693 (Fed. Cir. 2001). 

In view of the above and as set forth below, there is insufficient evidence of a record that 

Meyer et al. (U.S. Patent No. 6,829,368) and Montulli (U.S. Patent No. 5,744,670) discloses 

explicitly or on intently, the features of the claims in a manner supporting a prima facie 

obviousness rejection under 35 U.S.C. §103. 

A. The combination of Meyer et al. and Montulli does not disclose storing a 
contents identifier prior to transmission through a network connector as 
recited in claims 45-50. and 65-69 
By way of review, claim 45 recites, among other features, "a network connector," and "a 

controller for storing the contents identifier provided by the identifier provider as a Cookie file, 

transmitting the stored contents identifier through the network connector to a server system, 

which provides additional information related to the contents through the network connector, and 

receiving through the network connector the additional information provided from the server 
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system after the stored contents identifier was transmitted." 

In contrast, Mever et al. discloses a decoder which collects identifiers in response to a 
user request while the objects containing these identifiers are being played. In order to capture 
the identifier, the decoder includes an interface having a button used by the user to request 
information about the objects. In the example of FIG. 2, an MPS ripper extracts metadata from a 
read CD, uses the metadata to obtain information about songs of the CD from a database 
CDDB, and uses this obtained information to embed an object identifier (OID) in the resulting 
MPS audio file. When selected, the decoding device packages a message including the 
identifier read from the audio file, and invokes a communication application, such as an Internet 
Browser. The invoked communication application fonft^ards the provided identifier as a message 
to a server. (Col. 4, lines 13-31, col. 5, lines 3-6, col. 6, lines 34-59, col. 13, lines 4-27, col. 16, 
line 61 to col. 52; FIGs. 1 and 2). 

However, while the communication application fonA/ards the identifier in a message 
prepared by the decoder apparatus, there is no suggestion that the communication application 
stores the content identifier as opposed to the decoder interface or the decoder apparatus, or 
that the ISRC or identifier should be stored in a file such as a Cookie file. As such, to the extent 
Mever et al. teaches reading an ISRC, temporarily buffering the ISRC, and including the ISRC in 
a message as set forth in col. 13, lines 24-51 , there is no suggestion of a need or benefit to 
again locally store the ISRC in a Cookie file. 

In order to cure this deficiency, the Examiner asserts on page 2 of the Final Office Action 
mailed June 22, 2006 that storage inherently precedes transmission and provides a portion 
Kurose et al. , "Computer Networking: A Top Down Approach Featuring the Internet," pp. 383- 
385 (Addison Wesley Longman Inc. (2001)) evidencing that a network interface card includes 
RAM. As an initial point of clarification, it is noted that the instant application has a U.S. filing 
date of July 1 3, 2001 . In contrast, the copyright date of Kurose et al. is 2001 , indicating that 
Kurose et al. was published sometime in 2001 . As such, there is insufficient evidence of record 
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as to whether Kurose et al. was published before or after July 13, 2001 such that the record is 
unclear to the extent to which Kurose et al. represents the state of the art necessarily utilized by 
the Meyer et al. 

Moreover, to the extent Kurose et al. represents a state of the art, Kurose et al. suggests 
that a network interface card (NIC) has RAM for local storage with the NIC. Kurose et al. further 
explains that such NICs are semi-autonomous as compared to the parent node, even though the 
NIC may be in the same box as the node (i.e., computer). (Pgs. 383-384 of Kurose et al.) As 
such, Kurose et al. stands for the proposition that, when a data frame is received from the node 
for transmission, the RAM of the NIC is used in the transmission of the received data frame 
apart from the node and is operating under its own controller. As such, any inherent storage 
prior to transmission occurring in Kurose et al. occurs in the semi-antonymous NIC and does not 
necessarily occur in the node. Thus, under principles of inherency, there remains insufficient 
evidence that storage occurs outside of a network interface card and prior to transmission 
through the network interface card, or that a controller of the node could control such storage 
within the RAM of the semi-antonymous NIC. 

Since the Examiner has not provided such evidence corresponding to the invention as 
claimed, it is respectfully submitted that the Examiner has not provided sufficient evidence to rely 
on Meyer et al. inherently disclosing storage of the ISRC in the decoder as opposed to an 
network interface card which semi-autonomously operates to perform a transmission as set forth 
in the Office Action and as is required to disclose the features of claim 45. 

Since Montulli is not relied upon as disclosing this feature, it is respectfully submitted that 
the combination does not disclose or suggest the invention as recited in claim 45. 

Claims 46-50 and 65-69 are patentable due at least to their depending from claim 45. 

B. The combination of Meyer et al. and Montulli does not suggest performing 
local storage as a Cookie file prior to transmission as recited in claims 45- 
50 and 65-69 

Additionally, as Meyer et al. does not disclose transmitting a contents identifier in a 
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Cookie file, the Examiner relies upon Montulli to disclose that it is well known to use Cookie files 
for data transmission. As evidence of a motivation, the Examiner asserts that one skilled in the 
art would have been motivated to use Cookie files for data transmission since Cookie files were 
known in the art as a data transmission scheme utilized in web browsers and are a type of 
container which could be used to transmit both the content identifier of a type described in 
Montulli as well as the state information actually described in Montulli . The essence of the 
Examiner's argument is that, since cookie technology was well known in the art, one skilled in 
the art could have utilized the cookie to transmit contents identifiers instead of state information. 

However, an unsubstantiated statement that existing elements could be combined as it 
was in the skill of the art to do so does not provide a basis for a rejection under 35 U.S.C. 
103(a). In re Fine . 837 F2d 1071; 5 U.S.P.Q.2d 1596 (Fed. Cir. 1988). Similarly, an 
unsubstantiated statement that elements could be combined as being "common sense" does not 
provide a basis for a rejection under 35 U.S.C. §1 03(a) since such unsupported statements 
prevent meaningful review under the Administrative Procedures Act, 5 U.S.C. §706. In re Zurko , 
258 F.3d 1379; 59 U.S.P.Q.2d 1693 (Fed. Cir. 2001). In essence, there needs to be proof that 
such a motivation exists, not conjecture. This rigorous proof is required in order to prevent the 
trap of impermissible hindsight. 

In view of the above, to the extent Meyer et al. suggests the decoder preparing a 
message and invoking the Internet browser solely to transmit the contents identifier in a 
message, Meyer et al. does not suggest a need for the creation of the Cookie file with the 
contents identifier since Meyer et al. does not rely upon the Internet browser for more than 
relaying messages. Thus, to the extent that the message of Meyer et al. is a container for the 
contents identifier, the record is unclear as to why one skilled in the art would utilize cookie 
technology as the particular delivery mechanism for this container. 

Moreover, Montulli teaches that such use of Cookie files is restricted to the context of 
client-server relationships where the state of the client in this relationship cannot otherwise be 
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maintained in client-server system. (Col. 2, lines 15-21 of Montulli) . Thus, Montulli discloses 
using Cookie files sent from a server to a client so that, when the client later accesses the same 
server, the client information is maintained with respect to the server by sending the cookie to 
the same server. (Col. 9, lines 45-65 and Example 1 of Montulli) . There is no suggestion that 
the same or another Cookie file is pre-generated at the client prior to contact with the server so 
as to be independent of the Cookie file provided by the server. 

There is further no suggestion of an advantage to using the Cookie files in such other 
contexts, and there is no suggestion that the message in Meyer et al. is needed to maintain a 
client-server relationship such that the contents identifier of Meyer et al. would not be 
understood as a type of state information described in the context of Montulli . As such, any such 
wide use relied upon by the Examiner has not been shown with respect to other contexts, such 
as that in Meyer et al. Thus, even assuming that cookie technology is in widespread use to 
maintain a client-server relationship, there is insufficient evidence that such wide spread use, in 
and of itself, is sufficient to evidence why one skilled in the art would be motivated to modify 
Meyer et al. , which does not describe messaging in the context of maintenance of a client-server 
relationship, to use cookie technology as a message/container for a contents identifier. 

Moreover, to the extent that the Cookie file can be used to coordinate clients and 
servers, Meyer et al. teaches that the coordination between the client and server is taken into 
account using sets of rules which govern timing of returned data after the identifier has been 
sent to the server. (Col. 5, lines 48-53). There is no suggestion that a Cookie file like that of 
Montulli represents an improvement over this set of rules already suggested in Meyer et al. 

Also, while Meyer et al. discloses a decoder which collects identifiers, the identifiers can 
be an ISRC and can be read from a media object. The decoding device packages a message 
including the identifier, and invokes a communication application, such as an Internet Browser. 
The invoked communication application forwards the provided identifier as a message to a 
server 1. (Col. 3, lines 54-59, col. 13, lines 4-27, col. 16, line 61 to col. 52). When received at 
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the server 1 , the server 1 uses the identifier to return data or actions associated with the 
received identifier. Additionally, context data stored by the decoder may be used at the server to 
determine information on the user and/or the computer so as to judge, for instance whether the 
returned data or actions need to be altered to be age appropriate. (Col. 5, lines 25-47). 
However, while Meyer et al. discloses fonwarding a message including the read ISRC and the 
context information, there is no suggestion that the ISRC or identifier should be stored in a file 
such as a Cookie file. As such, to the extent Meyer et al. teaches reading an ISRC, temporarily 
buffering the ISRC, and including the ISRC in a message as set forth in col. 13, lines 24-51, 
there is no suggestion of a need or benefit to again locally store the ISRC in a Cookie file as 
suggested in Montulli . 

In reviewing the combined teachings, Montulli discloses the use of the Cookie file in the 
context of client-server relationships, where the state of the client cannot otherwise be 
maintained in a client-server system. (Col. 2, lines 15-21 of Montulli) . Thus, Montulli discloses a 
server creating the Cookie file and sending the Cookie file from the server to the client. 
Therefore, when the client later accesses the same server, the client information is maintained 
with respect to the server by the client sending the Cookie file to the same server. (Col. 9, lines 
45-65 and Example 1 of Montulli) . There is no suggestion that the same or another Cookie file 
is pre-generated at the client prior to contact with the server so as to be independent of the 
Cookie file provided by the server. 

In contrast, Meyer et al. suggests storing the identifiers in the object itself, which is locally 
stored under the control of the decoder/MP3 player/receiver, and when a connection to a server 
1 is needed, the decoder/MP3 player/receiver extracts the identifier and sends the identifier via 
the Internet Browser to the server 1. (Col. 6, line 60 to col. 7, line 5; FIGs. 1 and 2). There is no 
suggestion of a need to again store the already-stored identifier in this process. 

Additionally, while suggested as being useful for retaining client status information in the 
client-server system after the server has disconnected from the client, there is no suggestion 
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that the Cookie file of Montulli should be used by the client to transmit non-transmission related 
data (such as contents identifiers) not generated during a prior or existing network connection 
between the client and the server. Specifically, in Meyer et al. . the decoder/MP3 player/receiver 
sends the identifier prior to establishing a client-server relationship as the client, whereas 
Montulli suggests that the Cookie file is generated by a server to enable the server to maintain 
an exisfing client-server relationship. (Col. 2, lines 13-21). Montulli does not suggest any 
particular advantage for the use of Cookie files in other contexts, such as where the client is 
sending stored information to the server. Since the prior art as a whole does not suggest using 
the Cookie file outside of maintaining a client-server relafionship, the record as a whole does not 
provide sufficient evidence as to why one skilled in the art would further modify the decoder of 
Meyer et al. to implement the teaching of Montulli to have a client store and send the Cookie file 
incorporafing an ISRC or identifier. 

Indeed, there are concerns about the over use of Cookie files as suggested in Lin et al. . 
Taking a Byte Out of Cookies: Privacy, Consent, and the Web, ACM Policy Proceedings of the 
Ethics and Social Impact Component on Shaping Policy in the Information Age, pp. 39-51 
(1 998). At the very least, Lin et al. would limit the extent to which one skilled in the art would 
have wanted to implement the Cookie file unless needed to maintain a client-server relationship. 
Thus, to the extent Cookie files are suggested by Montulli , the record as a whole also cautions 
against overuse of Cookie files. Therefore, in view of Lin et al. . one skilled in the art would not 
be motivated to use Cookie files every time messages are to be sent to a server from a client 
instead of merely to maintain the server-client relationship, which is the suggesfion actually 
made by Montulli . 

As such, the record is unclear as to why one skilled in the art would modify Meyer et al. . 
which transfers messages generated by the decoder apparatus through the Internet browser, to 
instead use the Internet browser to store, locally, the Cookie file of Montulli . and then send the 
stored Cookie file with the same information as the message to the server. Thus, it is 
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respectfully submitted that, in view of the record as a whole, there is insufficient of a nnotivation 
to combine the technologies of Meyer et al. and Montulli to store the message of Meyer etal. in 
a Cookie file as is required to sustain a prima facie obviousness rejection of claims 45-50 and 
65-69. 

C. The combination of Meyer et al. and Montulli does not disclose a browser 
storing a contents identifier prior to transmission as recited in claims 51 . 
53-57 and 70 

By way of review, claim 51 recites, among other features, "a server for receiving a file 
including an identifier of predetermined contents from a reproduction apparatus for reproducing 
the contents, the file being prepared by and stored by a browser on the reproduction apparatus 
prior to transmission to the server." 

In contrast and as similarly noted above in Section VII(1)(A), Meyer et al. teaches 
invoking the communication application to forward the provided identifier as a message to a 
server. (Col. 4, lines 13-31, col. 5, lines 3-6, col. 6, lines 34-59, col. 13, lines 4-27, col. 16, line 
61 to col. 52; FIGs. 1 and 2). However, while the communication application fonA/ards the 
identifier in a message prepared by the decoder apparatus, there is no suggestion that the 
communication application stores the content identifier as opposed to the decoder interface or 
the decoder apparatus. Instead, Meyer et al. discloses a decoder/MP3 player/receiver which 
obtains, embeds, and/or retrieves the content identifier, with the internet browser being used at 
most to fonrt/ard messages under the control of the decoder/MP3 player/receiver. As such, to 
the extent Meyer et al. teaches reading an ISRC, temporarily buffering the ISRC, and including 
the ISRC in a message as set forth in col. 13, lines 24-51 , there is no suggestion of a need or 
benefit to again locally store the ISRC in a locally stored file, such as the Cookie file as 
suggested in Montulli . 

Further, to the extent that Kurose et al. suggests that network interface cards (NICs) 
have RAM, there is no suggestion that the communication application necessarily controls the 
NIC to store the ISRC in the RAM of the NIC. Instead, Kurose et al. teaches that such NICs are 
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semi-autonomous as compared to the parent node such that any storage occurs independent of 
the existence of the communication application, even though the NIC may be in the same box as 
the node (i.e., computer). (Pgs. 383-384 of Kurose et al.) Thus, any inherent storage prior to 
transmission occurring in Kurose et al. occurs in the semi-antonymous NIC and does not 
necessarily occur in the node. Thus, under principles of inherency there remains insufficient 
evidence that storage occurs outside of a network interface card and prior to transmission 
through the network interface card, or that a browser of the node could control such storage 
within the RAM of the semi-antonymous NIC. 

Since Montulli is not relied upon as disclosing this feature, it is respectfully submitted that 
the combination does not disclose or suggest the invention as recited in claim 51. 

Claims 53-57 and 70 are patentable due at least to their depending from claim 51 . 

D. The combination of Mever et al. and Montulli does not suggest the use of 
a browser to perform local storage of contents identifier prior to 
transmission as recited in claims 51 . 53-58, and 70 
As noted above in Section VII(1)(B) and VII(1)(C), Mever et al. discloses a decoder which 

collects identifiers. The identifiers can be an ISRC and can be read from a media object. The 

decoding device packages a message including the identifier, and invokes a communication 

application, such as an Internet browser. The invoked communication application forwards the 

provided identifier as a message to a server 1. (Col. 3, lines 54-59, col. 13, lines 4-27, col. 16, 

line 61 to col. 52). When received at the server 1 , the server 1 uses the identifier to return data 

or actions associated with the received identifier. Additionally, context data stored by the 

decoder may be used at the server to determine information on the user and/or the computer so 

as to judge, for instance whether the returned data or actions need to be altered to be age 

appropriate. (Col. 5, lines 25-47). However, while Mever et al. discloses forwarding a message 

including the read ISRC and the context information, there is no suggestion that the ISRC or 

identifier should be locally stored in a file. As such, to the extent Mever et al. teaches reading an 

ISRC, temporarily buffering the ISRC, and including the ISRC in a message as set forth in col. 
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13, lines 24-51 , there is no suggestion of a need or benefit to again locally store the ISRC in a 
file, such as the Cookie file as suggested in Montulli . 

Further, while suggested as being useful for retaining client status information in the 
client-server system, there is no suggestion that the Cookie file of Montulli would be useful in the 
context of the reading and transmission of the ISRC in Meyer et al. or otherwise resolve a 
problem in Meyer et al. As also noted above in Section VII(1)(B), since the prior art as a whole 
does not suggest using the Cookie file outside of maintaining a client-server relationship and 
teaches away from overuse of the Cookie file, the record as a whole does not provide sufficient 
evidence as to why one skilled in the art would further modify the decoder of Meyer et al. to 
implement the teaching of Montulli to have a client store and send the Cookie file incorporating 
an ISRC or identifier. 

As such, it is respectfully submitted that there is insufficient evidence of record as to why 
one skilled in the art would utilize the Cookie file of Montulli in the context of Meyer et al. in a 
manner meeting the features of claim 51 as is required to maintain a prima facie obviousness 
rejection under 35 U.S.C. §103. 

Similarly, there is insufficient evidence of record to maintain a prima facie obviousness 

rejection under 35 U.S.C. §103 as to claims 53-58, and 70. 

E. The combination of Meyer et al. and Montulli does not disclose a browser 
storing a contents identifier as a file prior to transmission through a 
network connector and a server to receive the stored file as recited in 
claims 54-56 

By way of review, claim 54 recites, among other features, "a network connector," and 
"a controller to control the browser to prepare and store the file including the identifier from the 
identifier provider prior to transmission to the server, to use the browser to transmit the stored 
identifier to the server through the network connector, to use the browser to receive the retrieved 
one additional information item transmitted from the server through the network connector 
corresponding to the transmitted identifier, and to control a display of the received one additional 
information item." 
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As similarly set forth in Sections VII(1)(A) and (1)(C), while the communication 
application of Meyer et al. fonA/ards the identifier in a message prepared by the decoder 
apparatus, there is no suggestion that the communication application stores the content 
identifier as opposed to the decoder interface or the decoder apparatus, or that the ISRC or 
identifier should be stored in a file such as a Cookie file. As such, to the extent Meyer et al. 
teaches reading an ISRC, temporarily buffering the ISRC, and including the ISRC in a message 
as set forth in col. 13, lines 24-51 , there is no suggestion of a need or benefit to again locally 
store the ISRC in a Cookie file as suggested in Montulli . Instead, Meyer et al. discloses a 
decoder/MP3 player/receiver which obtains, embeds, and/or retrieves the content identifier, with 
the internet browser being used at most to forward messages under the control of the 
decoder/MP3 player/receiver. 

To the extent Kurose et al. represents the state of the art, Kurose et al. relates to the 
network interface cards (NICs) having RAM, which are separate from the node (i.e., the decoder 
of Meyer et al.) . Kurose et al. further explains that such NICs are semi-autonomous as 
compared to the parent node, even though the NIC may be in the same box as the node (i.e., 
computer). (Pgs. 383-384 of Kurose et al.) As such, Kurose et al. stands for the proposition 
that, when a data frame is received from the node for transmission, the RAM of the NIC is used 
in the transmission of the received data frame apart from the node and is operafing under its 
own controller. As such, any inherent storage prior to transmission occurring in Kurose et al. 
occurs in the semi-antonymous NIC and does not necessarily occur in the node. Thus, under 
principles of inherency there remains insufficient evidence that storage occurs outside of a 
network interface card and prior to transmission through the network interface card, or that a 
controller of the node could control such storage within the RAM of the semi-antonymous NIC. 

Since the Examiner has not provided such evidence corresponding to the invention as 
claimed, it is respectfully submitted that the Examiner has not provided sufficient evidence to rely 
on Meyer et al. inherently disclosing such features as set forth in the Office Action and as is 
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required to disclose the features of claim 54. 

Since Montulli is not relied upon as disclosing this feature, it is respectfully submitted that 
the combination does not disclose or suggest the invention as recited in claim 54. 

Claims 55 and 56 are deemed patentable due at least to the patentability of claim 54. 

F. The combination of Meyer et al. and Montulli does not suggest the use of 
a browser to perform local storage of contents identifier as a Cookie File 
prior to transmission where same contents identifier is on information 
storage medium being read by apparatus as recited in claim 58 

By way of review, claim 58, which depends from claim 57 recites, among other features, 

the that "the server receives the contents identifier from the browser installed in the controller of 
the reproduction apparatus as a Cookie file prepared by the browser." As similarly noted above 
in Sections VII(1)(B) and VIII(1)(D), while suggested as being useful for retaining client status 
information in the client-server system, there is no suggestion that the Cookie of Montulli would 
be useful in the context of the reading and transmission of the ISRC in Meyer et al. or othenA^ise 
resolve a problem in Meyer et al. As also noted above in Section \/ll(1)(B), since the prior art as 
a whole does not suggest using the Cookie file outside of maintaining a client-server relationship 
and teaches away from overuse of the Cookie file, the record as a whole does not provide 
sufficient evidence as to why one skilled in the art would further modify the communication 
application of the decoder of Meyer et al. to implement the teaching of Montulli to have a client 
store and send the Cookie file incorporating an ISRC or identifier prior to transmission. As such, 
it is respectfully submitted that there is insufficient evidence of record as to why one skilled in the 
art would utilize the Cookie file of Montulli in the context of Meyer et al. in a manner meeting the 
features of claim 58 as is required to maintain a prima facie obviousness rejection under 35 
U.S.C. §103. 

G. The combination of Meyer et al. and Montulli does not disclose an 
information storage medium having a Cookie program for implementing a 
method including storing as a Cookie File a contents identifier prior to 
transmission through a network connector as recited in claims 59, 60. 62- 
64, and 71 

By way of review, claim 59 recites, among other features, "a Cookie program which 
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implements a method of generating a Cookie file used by the apparatus" including "preparing 
and storing the detected contents identifier in the Cookie file for use in a subsequent 
transmission by the apparatus to a server system providing additional information related to the 
predetermined contents through a network connector of the apparatus in response to the sent 
Cookie file." 

In contrast and as similarly noted in Section VII(A), to the extent Meyer et al. teaches 
reading an ISRC, temporarily buffering the ISRC, and including the ISRC in a message as set 
forth in col. 13, lines 24-51 , there is no suggestion of a need or benefit to again locally store the 
ISRC in a Cookie file as suggested in Montulli . Instead, Meyer et al. discloses a decoder/MP3 
player/receiver which obtains, embeds, and/or retrieves the content identifier, with the internet 
browser being used at most to forward messages under the control of the decoder/MPS 
player/receiver. 

Moreover, to the extent Kurose et al. represents a state of the art, Kurose et al. stands 
for the proposition that, when a data frame is received from the node for transmission, the RAM 
of the NIC is used in the transmission of the received data frame apart from the node and is 
operating under its own controller. As such, any inherent storage prior to transmission occurring 
in Kurose et al. occurs in the semi-antonymous NIC and does not necessarily occur in the node. 
Thus, under principles of inherency there remains insufficient evidence that storage occurs 
outside of a network interface card and prior to transmission through the network interface card, 
or that a controller of the node could control such storage within the RAM of the semi- 
antonymous NIC. 

Since the Examiner has not provided such evidence corresponding to the invention as 
claimed, it is respectfully submitted that the Examiner has not provided sufficient evidence to rely 
on Meyer et al. inherently disclosing such features as set forth in the Office Action and as is 
required to disclose the features of claim 59. 

Since Montulli is not relied upon as disclosing this feature, it is respectfully submitted that 
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the combination does not disclose or suggest the invention as recited in claim 59. 

Claims 60, 62-64, and 71 are patentable due at least to their depending from claim 59. 

H. The combination of Meyer et al. and Montulli does not suggest an 

information storage medium having a Cookie program for implementing a 
method including preparing and storing the detected contents identifier in 
the Cookie file for use in a subseguent transmission by the apparatus as 
recited in claims 59. 60. 62-64. and 71 
As similarly noted above in Sections VII(1)(B) and \/ll(1)(F), while Meyer et al. discloses 

foHA^arding a message including the read ISRC and the context information, there is no 

suggestion that the ISRC or identifier should be locally stored in a file. As such, to the extent 

Meyer et al. teaches reading an ISRC, temporarily buffering the ISRC, and including the ISRC in 

a message as set forth in col. 1 3, lines 24-51 , there is no suggestion of a need or benefit to 

again locally store the ISRC in a file, such as the Cookie file as suggested in Montulli . 

Further, while suggested as being useful for retaining client status information in the 

client-server system, there is no suggesfion that the Cookie file of Montulli would be useful in the 

context of the reading and transmission of the ISRC in Meyer et al. or othenwise resolve a 

problem in Meyer et al. As also noted above in Section VII(1)(B), since the prior art as a whole 

does not suggest using the Cookie file outside of maintaining a client-server relationship and 

teaches away from overuse of the Cookie file, the record as a whole does not provide sufficient 

evidence as to why one skilled in the art would further modify the decoder of Meyer et al. to 

implement the teaching of Montulli to have a client store the Cookie file incorporafing an ISRC or 

identifier. 

As such, it is respectfully submitted that there is insufficient evidence of record as to why 
one skilled in the art would utilize the Cookie file of Montulli in the context of Meyer et al. in a 
manner meeting the features of claim 59 as is required to maintain a prima facie obviousness 
rejection under 35 U.S.C. §103. 

For similar reasons, it is respectfully submitted that insufficient evidence of record to 
maintain a prima facie obviousness rejecfion under 35 U.S.C. §1 03 of claims 60, 62-64, and 71 . 
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I. The combination of Meyer et al. and Montulli does not suggest the use of 
a browser to perform local storage of contents identifier as a Cookie File 
prior to transmission through a network connector as recited in claim 66 
By way of review, claim 66, which depends from claim 45, recites, among other features, 

"a browser," where "the controller controls the browser to prepare and store the Cookie file with 

the contents identifier in the prepared Cookie file, and uses the browser to transmit the stored 

Cookie to the server system and to receive the additional information provided from the server 

system after transmitting the stored Cookie." 

In contrast and as similarly noted above in Sections VII(1)(B) and (1)(F), while suggested 

as being useful for retaining client status information in the client-server system, there is no 

suggestion that the Cookie file of Montulli would be useful in the context of the reading and 

transmission of the ISRC in Meyer et al. or othenA^ise resolve a problem in Meyer et al. As also 

noted above in Section \/ll(1)(B), since the prior art as a whole does not suggest using the 

Cookie file outside of maintaining a client-server relationship and teaches away from overuse of 

the Cookie file, the record as a whole does not provide sufficient evidence as to why one skilled 

in the art would further modify the communication application of the decoder of Meyer et al. to 

implement the teaching of Montulli to have a client store and send the Cookie file incorporating 

an ISRC or identifier prior to transmission. As such, it is respectfully submitted that there is 

insufficient evidence of record as to why one skilled in the art would utilize the Cookie file of 

Montulli in the context of Meyer et al. in a manner meeting the features of claim 66 as is required 

to maintain a prima facie obviousness rejection under 35 U.S.C. §103. 

VIII. Conclusion 

In view of the law and facts stated herein, the Appellant respectfully submits that the 
Examiner has failed to cite a reference or combination of references sufficient to maintain an 
obviousness rejection of the rejected claims and has failed to rebut the arguments in at least the 
Amendment After Final Rejection filed September 20, 2006 and/or the Amendment filed April 4, 
2006. 
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For ail the foregoing reasons, the Appellant respectfully submits that the cited prior art 
does not teach or suggest the presently claimed invention. The claims are patentable over the 
prior art of record and the Examiner's findings of unpatentability regarding claims 45 through 51 , 
53 through 60 and 62 through 71 should be reversed. 

The Commissioner is hereby authorized to charge any additional fees required in 
connection with the filing of the Appeal Brief to our Deposit Account No. 50-3333. 



Respectfully submitted, 



STEIN, MCEWEN & BUI LLP 



1400 Eye Street, NW, Suite 300 
Washington, D.C. 20005 
Telephone: (202)216-9505 
Facsimile: (202)216-9510 
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1-44. (CANCELED) 

45. (PREVIOUSLY PRESENTED) A reproduction apparatus for reproducing contents, 
comprising: 

an identifier provider for providing an identifier of the contents; 
a network connector; and 

a controller for storing the contents identifier provided by the identifier provider as a 
Cookie file, transnnitting the stored contents identifier through the network connector to a server 
system, which provides additional information related to the contents through the network 
connector, and receiving through the network connector the additional information provided from 
the server system after the stored contents identifier was transmitted. 

46. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 45, further 
comprising a reading unit for reading data from at least one storage medium, in which the 
contents are stored, and reads the contents identifier from the at least one storage medium, 
wherein the identifier provider provides the read contents identifier read from the at least one 
storage medium to the controller. 

47. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 45, further 
comprising a reading unit for reading data from at least one storage medium, in which the 
contents are stored, and reads an international standard recording code (ISRC) from the at least 
one storage medium, wherein the identifier provider receives the ISRC read and provides the 
ISRC as the contents identifier to the controller. 

48. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 45, further 
comprising: 

a reading unit for reading the contents from at least one storage medium in which the 
contents are stored; and 

a reproducer for reproducing contents read by the reading unit. 

49. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 48, wherein the 
reproducer further comprises a decoder for decoding the read contents. 
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50. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 49, wherein the 
reproducer further comprises: 

a speaker for receiving audio data output from the decoder and delivering sound; and 
a display apparatus for receiving video data output from the decoder and displaying 
images. 

51 . (PREVIOUSLY PRESENTED) A server system providing additional information items, 
comprising: 

an additional information database which stores additional information items related to a 
plurality of contents; and 

a server for receiving a file including an identifier of predetermined contents from a 
reproduction apparatus for reproducing the contents, the file being prepared by and stored by a 
browser on the reproduction apparatus prior to transmission to the server, retrieving one of the 
additional information items related to the contents identifier from the additional information data 
base according to the received file, and transmitting the retrieved one additional information item 
to the reproduction apparatus, 

wherein the contents identifier is recorded in at least one recording medium on which the 
contents are recorded. 

52. (CANCELED) 

53. (PREVIOUSLY PRESENTED) The server system of claim 51 , wherein: 

an international standard recording code (ISRC) is recorded in at least one recording 
medium on which the contents are recorded, and 

the server receives the ISRC code as the contents identifier, retrieves the one of the 
additional information items mapped to the ISRC code from the additional information database, 
and transmits the retrieved one additional information item to the reproduction apparatus. 

54. (PREVIOUSLY PRESENTED) The server system of claim 51 , wherein: 

the server transmits the additional information item corresponding to the received 
contents identifier to the reproduction apparatus, and 
the reproduction apparatus comprises: 

an identifier provider for providing the identifier of the contents, 
the browser, 
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a network connector, and 

a controller to control the browser to prepare and store the file including the 
identifier from the identifier provider prior to transmission to the server, to use the browser to 
transmit the stored identifier to the server through the network connector, to use the browser to 
receive the retrieved one additional information item transmitted from the server through the 
network connector corresponding to the transmitted identifier, and to control a display of the 
received one additional information item. 

55. (PREVIOUSLY PRESENTED) The server system of claim 54, wherein: 

the reproduction apparatus further comprises a reading unit for reading data from at least 
one storage medium, 

the at least one storage medium stores the contents, 

the identifier provider provides the contents identifier read from the at least one storage 
medium to the controller, and 

the controller receives the contents identifier from the reproduction apparatus for 
transmitting the contents identifier provided by the identifier provider through the network 
connector to the server. 

56. (PREVIOUSLY PRESENTED)The server system of claim 55, wherein the server 
receives an international standard recording code (ISRC) read from the at least one storage 
medium by the reading unit and provides the received ISRC code as the contents identifier to 
the controller. 

57. (PREVIOUSLY PRESENTED) The server system of claim 51 , wherein the server 
receives the contents identifier from the browser installed in a controller of the reproduction 
apparatus. 

58. (PREVIOUSLY PRESENTED) The server system of claim 57, wherein the server 
receives the contents identifier from the browser installed in the controller of the reproduction 
apparatus as a Cookie file prepared by the browser. 

59. (PREVIOUSLY PRESENTED) An information storage medium for use with a 
recording and/or reproducing apparatus and comprising a Cookie program which implements a 
method of generating a Cookie file used by the apparatus, the method comprising: 
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detecting an identifier of predetermined contents; and 

preparing and storing the detected contents identifier in the Cookie file for use in a 
subsequent transmission by the apparatus to a server system providing additional information 
related to the predetermined contents through a network connector of the apparatus in response 
to the sent Cookie file, 

wherein the contents identifier is an international standard recording code (ISRC) read 
from a recording medium. 

60. (PREVIOUSLY PRESENTED)The information storage medium of claim 59, wherein 
the method further comprises reading the contents identifier from the recording medium on 
which the contents are stored. 

61. (CANCELED) 

62. (PREVIOUSLY PRESENTED) The information storage medium of claim 60, wherein 
the Cookie file is prepared by the apparatus and is stored on the apparatus prior to transmission, 
and the Cookie file includes the contents identifier read from the recording medium. 

63. (PREVIOUSLY PRESENTED) The information storage medium of claim 60, wherein 
the Cookie file is prepared by a browser provided in the apparatus and is stored prior to 
transmission, and the Cookie file includes the contents identifier read from the recording 
medium. 

64. (PREVIOUSLY PRESENTED) The information storage medium of claim 60, wherein 
the Cookie file is prepared by a browser provided in the apparatus and is stored prior to 
transmission, and the method further comprises transmitting the Cookie file to the server system 
providing the additional information through a network. 

65. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 45, wherein the 
received additional information is reproduced without reproducing the corresponding contents. 

66. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 45, further 
comprising a browser, and the controller controls the browser to prepare and store the Cookie 
file with the contents identifier in the prepared Cookie file, and uses the browser to transmit the 
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stored Cookie to the server system and to receive the additional information provided from the 
server system after transmitting the stored Cookie. 

67. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 45, wherein: 
the controller receives an input requesting retrieval of the additional information, 

if the received input requests receipt of the additional information without reproducing the 
corresponding contents, the additional information is retrieved from the server system using the 
Cookie file without reproducing the corresponding contents, and 

if the received input requests the additional information while reproducing the 
corresponding contents, the additional information is retrieved from the server system using the 
Cookie file while reproducing the corresponding contents, 

68. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 45, further 
comprising a memory in which the controller stores the Cookie file prior to providing the Cookie 
file to the server system. 

69. (PREVIOUSLY PRESENTED) The reproduction apparatus of claim 45, wherein the 
contents comprises audio and/or video predetermined contents, and the additional information 
includes words of a song of the audio and/or video contents, personal information items on 
singers of the audio and/or video contents, contents of recent activities of the audio and/or video 
contents, other songs of a similar genre of the audio and/or video contents, or combinations 
thereof. 

70. (PREVIOUSLY PRESENTED)The server system of claim 51 , wherein the contents 
comprises audio and/or video predetermined contents, and the additional information items 
include words of a song of the audio and/or video contents, personal information items on 
singers of the audio and/or video contents, contents of recent activities of the audio and/or video 
contents, other songs of a similar genre of the audio and/or video contents, or combinations 
thereof. 

71 . (PREVIOUSLY PRESENTED)The information storage medium of claim 59, wherein 
the predetermined contents comprises audio and/or video predetermined contents, and the 
additional information includes words of a song of the audio and/or video contents, personal 
information items on singers of the audio and/or video contents, contents of recent activities of 
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the audio and/or video contents, other songs of a similar genre of the audio and/or video 
contents, or combinations thereof. 
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J.l a The Data Link loyer: Introduction, Services 



383 



m 



Error detection in the linlc layer is usually more sophisticated and implemented 
in hardware. 

I Erivr correction. Error correction is similar to error detection, except that a re- 
' ceiver cannot only detect whether errors have been introduced in the frame but 
can also determine exactly where in the frame the errors have occurred (and 
hence correct these errors). Some protocols (such as ATM) provide link-layer error 
correction for the packet header rather than for the entire packet. We cover error 
detection and correction in Section 5.2. 

^ Half-duplex and full-duplex. With full-duplex transmission, the nodes at both 
I ends of a link may transmit packets at the same time. With half-duplex transmis- 
f sion, a node cannot both transmit and receive at the same time. 



^, As noted above, many of the services provided by the link layer have strong 
l^llcls with service,s provided at the transport layer. For example, both the link 
:i^isverand the transport layer can provide reliable delivery. Although the mechanisms 
pd to provide reliable delivery in the two layers are similar (see Section 3 4) the 
reliable delivery services are not the .same. A transport protocol provides reli- 
^ delivery between two processes on an end-to-end basis; a reliable link-layer 
«pcol provides the reliable-delivery service between two nodes connected by a 
ile link. Similarly, both link-layer and transport-layer protocols can provide flow 
ilrol and error detection; again, flow control in a transport-layer protocol is pro- 
ted on an end-to-end basis, whereas it is provided in a link-layer protocol on a 
Mo-adjacent-node basis. 



i I 



Adopters Communicating 

itgiven communication link, the link-layer protocol is, for the most part, imple- 

I ^ ^"^ ^ ""^^ Adapters a,; also 

fnon y known as network Interface cards or NICs. As shown in Figure 5.2 the 

El'lT T "^"g "'^^ ^> « host or router) passes a network-lLyer 
to the adapter that handles the sending side of the communicaUon link. The 

fctr . t' '^^^'"^"S ^''^P'*' ^^-^ entire frame. 

En! T'^^'^-^^y^ datagram, and passes it to the network layer. If the link- 

fZ^l V '^'^'^'"^ adapter that performs en-or checking. If the link- 
& 1 eT ' S''"' *^ ""^^^"'^""^ reliable'delivery (for 

l^^aZTth"; r^'!' ^'«'<^l«'g™ents) are entirely implemented 

PeirmlJll f'T P'"'''''*^ ^''^ Section 5.3). 

Ea^n? P""*^"" " '^""'^'y implemented in the adapters. 

I. deteSiTnl'i? f ,'"'-""!°°°'"°»'' example, an adapter can receive a 

4: «nnme ,f a frame is m error and discard the frame without notifying its 
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Figure 5.2 * The link-layer protocol for o communication link is implemented in the 
adopters at the two ends of the link 



"oirenl" node An adapter that receives a frame only interrupts its parent rjode when 

rest of the node, and is ultimately under the control of the node. 

As shown in Figure 5.3. the main components of an adapter are the 

Se is im «ed'by chip set that can be bought on ^^^^^^^^ 

this reason. Ethernet adapters are incredibly cheaI^-often less than $30 for 10 Mbps 

and 100 Mbps transmission rates, r. . 

Semet. .nd 155 Mbps ATM by ^-^^l^;^^^^^^^^ 

Data Communications magazme provides a nice introducuon to uup 

adapters [Giga Adapter 1997]. 



5.2 B Error Detection and Correction Techniques 385 




Node Adapter card 

Figure S.3 The odapfer is a semi-autonomous unit 



Network 
link 



5.2 ♦ Error Detection ond Correction Techniques 



In the previous section, we noted thai bit-level error detection and correction— 
detecting and correcting the corruption of bits in a data-link-layer frame sent from 
one node to another physically connected neighboring node— are two services often 
provided by the data-link layer. We saw in Chapter 3 that error detection and correc- 
tion services are also often offered at the transport layer as well. In this section, 
we'll examine a few of the simplest techniques that can be used to detect and, in 
some cases, correct such bit errors. A full treatment of the theory and implemerita- 
tion of this topic is itself the topic of many textbooks (for example, [Schwartz 
1980]), and our treatment here is necessarily brief. Our goal here is to develop an 
intuitive feel for the capabilities that error detection and correction techniques pro- 
vide, and to see how a few simple techniques work and are used in practice in the 
data link layer. 

Figure 5.4 iUustrates the setting for our study. At the sending node, data, D, to 
be protected against bit errors is augmented with error-detection and correction bits, 
EDC, Typically, the data to be protected includes not only the datagram passed 
down from the networic layer for transmission across the link, but also link-level ad- 
dressing information, sequence numbers, and other fields in the data-link frame 
header. Both D and EDC are sent to the receiving node in a link-level frame. At the 
receiving node, a sequence of bits, D' and EDC are received. Note that D' and 
EDC may differ from the original D and EDC as a result of in-transit bit flips. 

The receiver's challenge is to det^mine whether or not D' is the same as the 
original Z). given that it has only received D' and EDC, The exact wording of the 
receiver's decision in Figure 5.4 (we ask whether an error is detected, not whether 
an error has occurred!) is important. Error-detection and correction techniques 
allow the receiver to sometimes, but not always, detect that bit errors have occurred. 
That is, even with the use of error-detection bits there will still be a possibility that 
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1 Introduction 

What is out right to privacy on the World Wide Web? Ts it 
reasonable for us to assume that we should always have con- 
trol over our personal infornaation on the Web? These ques- 
tions become increasingly urgent as vfc continue to unknow- 
ingly release our personal information into cyberspace. 

In a recent Internet privacy survey directed by Alan 
Westin, .53 percent of Internet users and 57 percent of online 
service users were concerned that their Internet browsing 
behavior would be linked to their e-mail addresses and dis- 
closed to other people or organizations [1]. Such concerns 
about privacy are not new. Many of us express similar con- 
cerns when we apply for a credit card or a car loan. What is 
new about our privacy concerns, however, i.s the environ- 
ment in which we express them — the Web, According to 
Moor [2], information on the Web is "greased** and its ma- 
nipulation occurs more easily and at a much grander scale. 
Because the Web is a new environment, there are few trans- 
actions on the Web whose impact is completely understood 
by the general public. Furthermore, unlike applying for a 
credit card or car loan, we may not even be aware that we 
are releasing personal information as we "surf* the Web. 



For instance, many Web sites use a mechanism called a 
^'cookie" which silently collects information about our visit 
to that site. The consequence of dealing widi a new environ- 
ment like the Web is that we are unable to make deliberate 
decisions about revealing our personal information. Simply 
put, we cannot make well-informed decisions because we do 
not have reasonable expectations of privacy on the Web. 

In this paper, we make three contributions to understand- 
ing privacy and the right to privacy on the Web. First, we 
highlight the role of informed consent in the theory of pri- 
vac)'. Because wc currently do not have a reasonable expecta- 
tion of privacy on the Web, informed consent is important: 
if we do not have enough knowledge to make an informed 
decision about revealing our personal information on the 
Web, we should be given that knowledge before making our 
decisions. Second, we establish the conditions under which 
the collection and centralization of personal information are 
ethically justifiable. The collection and centralization of per- 
sonal information on the Web affect our privacy in funda- 
mentally different ways. While previous notions of privacy 
describe when such manipulations of information cause losses 
or violations of privacy, they do not address how such viola- 
tions might be avoided. We address this issue by showing 
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that infermed consent is sufficient for the collection of per- 
ianal information to be ethical. Third, we offer an interpre- 
lacion of what a "reasonable expectation of privacy" may 
mean for Internet cookies. In doing so, we distinguish be- 
tween morally permissible and immoral uses of cookies. 

Seaion 2 discusses dominant approaches to privacy and 
the importance of privacy. Section 3 outlines the argument 
for informed consent. In Sections 4 and 5, we develop the 
ethical boundaries for collecting ajid centralizing personal 
information. Section 6 explores the notion of a reasonable 
expectation of privacy in public places. In Section 7, we 
introduce the idea that our reasonable expectations of pri- 
vacy on the Web should reflea the realization that the Internet 
is a public place. Finally, in Section 8 we apply out moral 
analysis to the current privacy concern with Internet cook- 
ies. 

2 Ethical Theories of Privacy 

While at first glance, the concept of privacy may seem simple, 
many have struggled to adequately describe what privacy ac- 
tually is. In this section, we present a critical analysis of 
different theories of privacy. 

2. 1 Privacy as Nonintrusion 

In their 1890 Harvard Law Review article, "The Right to 
Privacy," Warren and Brandeis 13] wrote that privacy is the 
right "to be let alone." For example. Bob loses some privacy 
when Alice rummages through his desk. In such a scenario, 
Alice is nor leaving Bob alone. By defining privacy as the 
right *'to be let alone," however, we may relate privacy to 
situations which have no true connections to it. If Alice clubs 
Bob on the head with a baseball bat, she has not invaded his 
privacy. She has assaulted him. Nc\'crthclcss, she has indeed 
violated his right **to be Jet alone." 

2.2 Privacy as Control of Information 

Fried [4J. Wcstin [5]> and'Beardslcy [6] define privacy as the 
control of personal information. That is, if we can deter- 
mine how much personal information we can reveal and to 
whom we reveal that information, vrc can prevent violations 
of our privacy. If Alice rummages through Bob's desk, finds 
his credit records, and reveals this information to Charles, 
then Bob has lost control of his credit information and suf- 
fers a violation of privacy. However, while control is an im- 
portant aspect of privacy, privacy solely as control may erro- 
neously describe instances which do not involve privacy. That 
is, there arc many situations in which people lose or never 
have control of their personal information yet suffer no vio- 
lation of privacy. Moor [9] uses the example of medical 
records. Bobs medical records may be passed on to various 
doctors and nurses so that he receives proper medical care. 
While Bob has no control over this medical information, he 
does not suffer a violation of privacy. 



2.3 Privacy as Undocumented Personal Knowledge 
Seeking a better definition of privacy. Parent [7] defines pri- 
vacy as the condition in which undocumented personal in- 
formation is not possessed by others. For Parent, personal 
information consists of those facts which people do not wish 
to reveal about themselves. It also includes facts about which 
a person may be very scnsirive about, .such as weight or 
height. Undocumented information is any information which 
cannot be found in public documents such as newspapers or 
court proceedings. From these definitions, it follows that 
any personal information which is documented must have 
once been undocumented. Parent acknowledges that when 
personal information is first published, there is an invasion 
of privacy. He calls later uses of such information "gratu- 
itous exploitation" rather than further violations of privacy. 
Suppose Alice is sunbathing naked on her private beach, If 
Bob takes a photograph of Alice and Star magazine prints 
the photograph, this personal information now becomes 
documented information. According to Parent, knowledge 
of Alice's nude body is now publicly available, and therefore 
no privacy is lost the next time someone sees Alice nude. 
This conclusion seems counterintuitive to us. 

2.4 Privacy as Restricted Access 

Perhaps the most complete conception of privacy is based 
on restricted access, due to Gavison [8J. She introduces three 
aspects of privacy: Secrecy: The extent to which we are known 
to othets. Anonymity; The extent to which we are die sub- 
ject of others' attention. Solitude; The extent to which others 
have physical access to us. A loss of privacy occurs when the 
degree of our secrecy, anonymity, ot solitude decreases. 
Gavison makes an imponant distinction between the loss of 
privacy and the violation of privacy. That is, losses of pri- 
vacy arc not necessarily undesirable. Each situation must be 
assessed to determine whether the loss of privacy limits the 
functions of privacy. For Gavison, such functions of privacy 
include the following; 

1. The creation of an environment where tru.st, love, 
friendship, and intimacy can be maintained. 

2. Freedom from physical access. 

3. Promotion of liberty of actions. By this we mean that 
privacy permits individuals "to do what they would not do 
without it for fear of an unpleasant or hostile reaction from 
others.** Specifically, it promotes our mental health and au- 
tonomy and protects us from censure and ridicule. 

Moor [9] also adopts the framework of privacy as re- 
stricted access. He describes two kinds of privacy: natural 
privacy and normative privacy. Loss of natural privacy is not 
necessarily an invasion of privacy. If Bob is meditating in 
the Grand Canyon, he is enjoying his state of natural pri- 
vacy If a group of noisy tourists riding mules descends upon 
him, however, he cannot claim an invasion of privacy. On 
the other hand, Bob may be relaxing in his New York apart- 
ment, smoking a pipe and reading the paper. If the same 
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group "of noisy tourists riding nnulcs peers into hts window^ 
chcy are violating his normative right to privacy.* 

2.5 The Value of Privacy 

These different theories agree that privacy is an important 
part of our lives. The value of privacy has been described 
both as a means to achieve or maintain other important 
goals of our lives and as an end, having intrinsic or inherent 
value, itself Rachels [10] considers privacy as a means. For 
him, privacy is important because it enables us to create 
social context in our relationships with other people: 

The value of privacy is based on the idea that there is 
close connection between our ability to control who has ac- 
cess to us and who has information about us, and our ability 
to create and maintain different sorts of relationships with 
different people. For instance, Bob may be aggressive, re- 
lentless, and ungiving in dealing with his business part nets. 
At the same time, he may be tender and sensitive with his 
family and friends. Privacy, as a means, allows us to exhibit 
different patterns of behavior with different people, to main- 
tain different social relationships, Benn [U] argues that pri- 
vacy has intrinsic value. He claims that there is a general 
principle of privacy based on respect for persons. He begins 
by stating that people have a general liberty to do what they 
choose unless someone else has good reason for preventing 
it,2 

For Benn, the principle of privacy offers such a reason to 
limit the general liberty of others to observe and report at 
will. For instance, imagine that Bob is unhappy that Alice is 
watching him, Bob's behavior is fundamentally changed by 
the mere fact that he knows Alice is watching him. Such 
unwanted observation does not treat Bob with the respea he 
deserves. Suppose, on the other hand, that Bob did not know 
that Allct was watching him. He would behave as if he were 
being unwatchcd» which is not the way he would want to 
behave. Covert observation is objectionable* as Benn states, 
because it deceives Bob about the context of his actions and 
treats him without dignity 

3 Ethical Theories of Informed Consent 

Many violations of privacy could be avoided if an element of 
consent or awareness was introduced. Consider again, for 
example, the scenario presented in Section 2.3 about the 
theory of privacy as undocumented knowledge. The main 
problem, it seems, is that Bob did not ask Alice if she would 
mind being photographed. Similarly, Alice did not ask for 
permission before she runmiaged through Bobs desk in Sec- 
tion 2.1. In Section 2,2, Alice did not think about Bobs 
feelings before she blurted out hts credit record to all her 
friends, la each of these scenarios, had the victim been prop- 
erly informed arid given a choice, a violation of privacy might 
not have occurred. Consideration for the victim is the es- 
sence of the theory of informed consent, 



To our knowledge, prc\Mous accoimts of privacy have not 
emphasized the role of consent. Instead, they attempt to de- 
fine precise boundaries around privacy. These accounts ex- 
plain privacy by defming the circumstances under which an 
individuals privacy has been compromised. That is, they 
isolate the concept of pri\'acy solely as an issue of safekeep- 
ing information, without consideration of social context. For 
example, Parent's [7] conception of privacy as undocumented 
knowledge precisely delineates what is private (undocumented 
personal knowledge) and what is not (documented personal 
knowledge). By introducing the concept of consent, our ap- 
proach in this paper is to emphasize the concept of privacy 
as an aspect of the social relationship between individuals. 
Had Alice consented to being photographed after being fully 
informed about potential consequences, we do not believe 
she would have still suffered an invasion of privacy. Our 
approach essentially builds upon Gavisons [8] neutral con- 
cept of privacy. Recall her argument that different situations 
must be examined to determine whether a loss of privacy 
results in a violation. We will argue in Section 4 that linking 
consent to privacy provides a framework for deciding whether 
a loss of privacy may be a violation of privacy. In the follow- 
ing secrions, we present a brief summary of the theory of 
informed consent in both medicine and engineering. 

3.1 A Brief History of Informed Consent 

The theory of informed consent has been most developed in 
the medical ethics. Historically, physicians did not believe 
that the consent of the patient was necessary. Consider 
Hippocrates's advice to future physicians. Perform [these du- 
ties] calmly and adroitly, concealing most things from the 
patient while you are attending him. Give necessaty orders 
with cheerfulness and serenity, turning his attention away 
from what is being done to him; sometimes reprove sharply 
and emphatically, and sometimes comfort with solicitude 
and attention, revealing nothing of the paticnt*s future or 
present condition. The term "informed consent*' first ap- 
peared in 1957 in the decision Salgo v. I^and Stanford, Jr. 
University Board of Trustees. In that case the court asked 
whether the patient had been adequately informed before 
consenting to the medical procedure. By the 1970s and 
1980*s, concerns with civil rights, women's rights, the con- 
sumer movement, and the rights of prisoners and the men- 
tally ill had brought informed consent to the attention of the 
medical community 

3.2 Informed Consent in Medical Ethics 

Faden and Beauchamp [12] present five basic elements nec- 
essary for informed consent in medicine. Disclosure: All 
pertinent information must be disclosed to the patient be- 
fore he makes a dcci sion* This includes information which 
the patient may not have requested. Comprehension: The 
patient must understand the general nature of the illness, the 
risks and benefits of each treatment, and the reasons for and 
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againsc tthcso options. Voluntariness: The patient should be 
under no pressure or duress when making the decision. 
Competence: The patient should be able to take responsibil- 
ity for making the decision (not a child or someone who is 
severely mentally ill). Consent: The patient must be given 
the choice to decide which alternative to take. Gorovitz [13] 
feels that informed consent is necessary: If the patient un- 
dci-stands what the physician proposes to do, and thus in- 
formed, consents to its being done, then the medical inter- 
vention is not imposed on the patient in violation of the 
patients autonomy; rather, that medical intervention is prop- 
erly viewed as a service provided to the patient at the patient's 
request. By providing the patient with a choice in his own 
treatment^ informed consent promotes individual autonomy 
and encourages rational decision making. It also protects 
the physician against charges of asmilt from a patient who 
did not want a particular treatment. Like the theorj' of pri- 
vacy, the theory of informed consent is formally grounded 
on the principle of respect for persons. 

3,2. 1 Against Informed Consent 

Some physicians believe that informed consent is not only 
impractical, but may even be detrimental to the patient. They 
argue that it is not possible for the patient to develop a suffi- 
cient comprehension of the illness as dictated by the doc- 
trine of informed consent. After ail, physicians go through 
years of medical school and residency to develop such an 
understanding. Further, physicians have neither time, skills, 
nor sensitivities to properly inform a patient. Additionally, 
studies have shown that patients, c\'en when ^to^tr\Y in- 
formed, often do not remember what they have been told. 
Most likely, these physicians argue, the patient did not want 
to be given so much information in the first place. It is also 
argued that obtaining informed consent may even be dan- 
gerous to the patient. With limited understanding, patients 
may make dedsions which are detrimental to their own well- 
being, They may even develop uimecessary fears and anxi- 
eties from a more thorough understanding of the potential 
risks and discomforts of the treatments. None of these argu- 
ments seem strong enough to counter the principle of re- 
spect for persons. In fact, a wrong 'Wdical" decision may 
not be the wrong decision from a broader perspective of the 
patients life. For example, Bob may decide to forgo an op- 
eration on his larynx because he makes his living as an opera 
singer. While his decision may be medically unwise, Bob 
knows that such an operation would ruin his career and even 
his life. As Gorovitz [13] writes, "the right to choose is not 
limited to the right to choose rightly.'* 

3 2,2 Exceptions to Informed Consent 

lA<iz [14] identifies situations in v/hich it may be acceptable 
not to obtain informed consent: Emergency: There is not 
enough time to obtain Informed consent without seriously 
risking the well-being of the patient. Incoiupctencc: The pa- 



tient is unable to make a decision for the situation at hand. 
The patient may be, for instance, intoxicated, unconscious, 
or senile. In such a situation, it is appropriate to secure a 
surrogate who may make decisions for the patient. Waiver: 
Under no pressure to do so, the patient waives the right to 
informed consent. Therapeutic Privilege: This exception al- 
lows the widiholding of information that the physician feels 
would be "harmful." Therapeutic privilege prevents viola- 
tion of the physicians primary duty of doing what is benefi- 
cial for the patient solely because of a legal duty to obtain 
informed consent. Unfortunately, many different interpreta- 
tions of this privilege exist, ranging from the most stringent 
to the most lenient. 

3.3 Informed Consent in Engineering Ethics 

Martin and Schinzinger (15j bring the theory of informed 
consent into the area of engineering ethics. They believe that 
socially responsible engineers must consider the informed 
consent of those who will use their products, Engineers should 
realize the consequences of designing and manufacturing a 
product. Customers must be given ail pertinent information 
about a product so that they can rationally decide whether to 
purchase it. For instance, if Bob creates a new security de- 
vice which identifies employees by scanning their retinas 
with a laser, he must reveal all the risks as well as benefits to 
those who are interested in the device. Martin and Schinzinger 
emphasize that information must be voluntarily presented 
even if the customer has not requested it. Therefore, even if 
the customer is not interested, Bob, as a responsible engi- 
neer, would be obligated to reveal the risks of his product. 

4 Collection of Information 

Computers have entirely changed the way wc collect infor- 
mation. According to Johnson [16], not only has computer 
technology increased the scale of information gathering, it 
has also enabled new kinds of information to be collected. 
Without computer technology, for instance, the scientific 
information collected from NASA's recent Mars mission 
would not have been possible. In today's modern environ- 
ment, wc would likely find it impossible to eliminate or even 
limit the collection of personal information. Rather, our ef- 
forts should concentrate on balancing the privacy rights of 
the individual with the needs of the community to collect 
information. In this section, we link previously discussed 
theories of privacy and consent to provide a framework for 
determining when the act of collecting personal information 
is ethical. 

4.1 Distinguishing Collection from Use 
It is important to distinguish the collection of personal in- 
formation from its use. When we do not distinguish collec- 
tion from use, we may easily blame the tool which collects 
information for undesircd consequences. Mainstream mov- 
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ies such as The Net and Hackers have popularized the no- 
tion that computers and the Internet arc the root of privzcy 
and information problems. Numerous individuals have been 
arrested or denied service because databases contained in- 
correct or inaccurate information. For example, accotdiiig 
ro Forester and Morrison [17], Barbara Ward was continu- 
ously refused accommodation by landlords because her name 
v/as in a database of names of people who had taken their 
landlords to court.* Quittner [18] mentions examples of com- 
puter misuse, including Sara Lees plan to collaborate with 
Lovelace Health Systems co match employee health records 
with work performance reports to find workers who might 
benefit from antidepressants. These examples, however, do 
not reveal anything about the actual ethics of the collection 
of information. They are, rather, consequences of the use or 
misuse of collected information/ While it is important to 
examine ethical decisions in the use of information, we wish 
to explore the ethics of the act of collecting personal infor- 
mation.^ 

4.2 When Is Collecting Personal Information Ethical? 
When docs the collection of information result in the loss of 
privacy? Under Gavisons definition of privacy as restricted 
access, the collection of information results in a loss of pri- 
vacy when our degree of secrecy or anonymity is compro- 
mised. We might term the collected information which re- 
sults in such a loss of privacy as personal information. Nev- 
ertheless, such a loss of privacy is not necessarily a violation 
of privacy. Recall Benn's assertion [11) that privacy can be 
justified under the respect for persons argument. Therefore 
as long as the principle of respect for persons is maintained, 
the collection of personal information can indeed be ethical. 
Consider the question raised by Benn [111: How reasonable 
is it, then, for a person to resent being treated much in the 
same way that a birdwatcher might treat a redstart? It is 
reasonable for Bob ro resent being watched like a bird be- 
cause he has no knowledge that he is being watched. Even if 
Bob knew he was being watched, he probably would not like 
ro be treated like an animal or specimen. Likewise, Bob 
probably would not be happy if someone read his private 
journal (a collection of personal information) without his 
permission. In all these examples, poor Bob is being treated 
neither with proper respect nor with regard for his dignity. 
One way to collect personal information from Bob while stilt 
treating him with proper respect is to obtain his informed 
consent. Section 3-2 discussed the basic elements needed 
for informed coment in medical ethics. When we extend 
informed consent from medicine to the collection of per- 
sonal information, the elements of disclosure and compre- 
hension must include the consequences of revealing or not 
revealing personal information: how the information will be 
used, who will have access to the information, how long the 
information will be kept, etc. Only with this information 
can a truly informed choice be made. If Bob understands the 



reasons we would like to obtain his personal information 
and knows the consequences of revealing .such information, 
then he can make an informed choice whether to divulge 
such Information. Obtaining Bob's informed consent shows 
that we respect him as an autonomous being capable of mak- 
ing rational decisions. Both the theory of informed consent 
and the theory of privacy can be grounded on the principle 
of respect for persons. Since informed consent preserves 
this principle of respect for persons, it ensures that a collec- 
tion personal information will not result in a violation of 
privacy. 4.3 When Is Collcccinig Personal Information Un- 
ethical? Does collecting personal information without ob- 
taining consent necessarily result in a violation of privacy? 
That is to say, while obtaining informed consent satisfies the 
principle of respect for persons, a lack of informed consent 
may not necessarily show a disregard for it, Recall Benns 
[11] assertion that only a general principle of privacy can be 
based on the principle of respect for persons: General prin- 
ciples do not determine solutions to moral problems of this 
kind. They indicate what needs to be justified, where the 
onus of justification lies, and what can count as justification 
{1 1). Such a general principle ofiFers only a minimal right to 
immunity. ^' 

We believe that the concept of a reasonable expectation 
of privacy answers Benns questions of what needs to be jus- 
tified, where the onus of justification lies, and what can count 
as justification. For instance, in order to show that Alice 
should not be able to observe Bob on grounds of general 
liberty, Bob must have a reasonable expectation of privacy 
not to be observed in that situation. If Bob does not have a 
reasonable expectation of privacy, then Alice does not need 
to justify, her desire to observe Bob, and therefore obtaining 
informed consent docs not seem necessary If, however, Bob 
docs have a reasonable expectation of privacy, and Alice still 
insists on observing him, then a violation of privacy does 
occur. In this case, Alice has collected personal information 
in an unethical manner. Informed consent can transform a 
potentially unethical collection of personal information into 
an ethical one. A collection of personal information is un- 
ethical when it does not comport with the reasonable expec- 
tation of ptivacy for the situation ac hand, Obtaining in* 
formed consent in these situations is necessary to avoid vio- 
lations of privacy Not all collections of personal informa- 
tion exceed the boundaries of a reasonable expectation of 
privacy, however. That is, obtaining informed consent may 
be sufficient for an ethical collection of data, bur it is cer- 
uinly not necessary. Alice does not need Bobs informed con- 
sent to watch him walk through a public square because 
Bobs reasonable expectation of privacy in this situation is 
limited. He would not reasonably expect that his right to 
privacy would protect him from observers as he walks through 
a public square. Suppose, however, that Alice peers into Bob's 
apartment window. Such an action obviously does not fall 
within Bobs reasonable expectation of privacy. Alice is en- 
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gaging«ia ah unethical collection of personal information, 
and chcrefore violating Bobs privacy. Had Alice requested 
permission to observe Bob, however, a compron)isc may 
have been reached/ Thus, Bob may risk the loss of privacy, 
if Alice seeks prior consultation before her attempt to ob- 
serve him. In such a situation, the principle for respect for 
persons is preserved, Alice is free to conduct her observa- 
tions, and Bob does not suffer a violation of privacy. 

5 Centralization of Information 

In Section 4, we established that the collection of personal 
information does not necessarily result in an vmethical loss 
of privacy. Specifically, if Bob gives his informed consent 
before releasing any personal information, the loss of pri- 
vacy which he experiences is not a violation. When Bob 
does give h'ts informed consent, he essentially weighs all the 
perceived costs and benefits and concludes that the desirable 
functions of privacy (environment for maintaining relation- 
ships, freedom from physical access, and liberty of actions) 
are still preserved. In this section, we distinguish the act of 
collecting information from the act of centralizing informa- 
tion. By centralisation of information, we mean the process 
of aggregating large quantities of personal information which 
have been collected for different purposes, and using this 
aggregation of information for an entirely new purpose. We 
will argue that the centralization of information, in contrast 
to its collection, is unethical because centralization contra- 
venes the desirable functions of privacy identified in Section 
2.4. 

5.1 Creation of a Dossier Society 

[n 1986, Laudon [20J warned about the danger of the dos- 
sier society, in which personal files from different govern- 
ment agencies are integrated into a permanent national data- 
base. Advances in technology in addition to the governments 
loose interpretation and enforcement of the protections of 
the Privacy Act of 1974 had made the dossier socict)' a real 
possibility^ Not only did the development of a dossier soci- 
ety threaten the traditional American desire for a limited 
role in government, it had harmful cultural consequences as 
well: 

From the individual s point of view, die most significant charac- 
teristic of the dossier society is that decisions made about us as 
citizens, employees, consumers, debtors, and supplicants rely 
less and less (m per.wnal faoc-ro-fece contact, on what we say, or 
even on what we do. Instead decisions are based on information 
that is held in national systems, and interpreted by bureavicrats 
and clerical workers in distant locations. The decisions made 
about us arc based on a comprehensive ''data image" drawn 
from diverse files 120). 

What concerned Laudon most was the aggregation of 
power that a dossier society would bring to the federal gov- 



ernment. He feared the necessity of explaining an "official 
life" to any government official who demanded such an ex- 
planation. Such concerns led him to criticize the potential 
development of the FBI s plan to create a national computer- 
ized criminal history into a general purpose national infor- 
mation database. Twelve years later howc\'er, we realize that 
fears about the dossier society are not limited solely to "offi- 
cial" information held by the federal government. The inte- 
gration of commercial databases in industry has also created 
a de facto national database which is less official and more 
personal, even detailing preferences and habits. Culnan and 
Smith [22J describe the public uproar in 1991 over Lotus 
Marketplace: Households, a CD-ROM database which con- 
tained information, induding lifestyle and purchasing pro- 
pensities, of 120 million individuals in 80 million U.S. house- 
holds. In June 1996, Lexis-Ncxis launched its P-Trak ser- 
vice, advertised as the digital equivalent of the phone direc- 
tory (23). The P-Trak service, again, caused public concern 
because it gave access to Social Security Numbers. Within 
days of its launch, Lcxis-Nexis, realizing the potential dan- 
gers of revealing such personal information, removed access 
to the Social Security Numbers. 

5.2 Economic Theory of Information 

The Lotus Marketplace: Households and Lexis-Ncxis P-Trak 
controversies showed that centralized information could be 
easily accessible to everyone. Economic theory suggests that 
the cost of acquiring information guides behavior. For in- 
stance, if the perceived cost to Bob of learning how to select 
the very best apple in the supermarket is greater than its 
perceived benefits. Bob may decide to select a relatively good 
apple rather than the very best. Decreasing the cost of ac- 
quiring information, easily accessible databases increase the 
chance that persons will search for information that they 
would not otherwise seek because the cose would have been 
too high. Because there is such a low cost for obtaining the 
information, people may even acquire information which is 
neither pertinent nor reliable for the decisions they need to 
make. Imagine if Bob*5 business competitors and his inti- 
mate friends could easily obtain the same comprehensive 
data image which detailed not only his tax and credit records 
but his culinary preferences and purchasing habits as well. 
Easy access to an integrated federal and industry database 
seems devastating to our notions of privacy. 

5.3 Violation of Privacy Without Loss of Privacy 

Is there an ethical basis to our fear of the centralization of 
personal information? To the extent that no extra informa- 
tion is collected in the centralization process, how can there 
be any additional loss of privacy? While there may not neces- 
sarily be a loss of privacy there is an unethical violation of 
privacy Samets (24] points out that we consider it a viola- 
tion of privacy if Bob looks into our window and takes note 
of what we arc doing. However, we experience no violation 
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of privacy if 'Bob looks out of bis own window and notices 
what wc arc doing outside.^ 

In addition » lets assume all of Bobs family and friends 
also record what they see about us out their windows. Later 
that week, they all get together to share and compare notes. 
There is something disturbing about the detailed personal 
profile that Bobs family and friends would be able to com- 
pile. 

According to Rachels (10], privacy is important because 
it provides the proper context for us to create and maintain 
different sorts of relationships with different people. Cen- 
tralization of personal information is unethical because it 
destroys this important context which privacy provides. The 
coniprehetxsive data image created in a centralized dat^ase 
denies us the ability to engage in the "different patterns of 
behavior associated with different relationships." While wc 
have not consented to divulging certain information to cer- 
tain parties, all parties who use the comprehensive data im- 
age cani acquire that information, Wc might even say that a 
comprehensive data image is a portrayal of person that really 
does not exist. That is to say, at no single moment in time, 
do we display all behaviors that may be revealed in the com- 
prehensive data image. Rather, wc maintain different faces 
and behaviors in different contexts and relationships. Fur- 
ther, such a comprehensive data image permits subsets of 
information that arc not personally or socially meaningful. 
The centralization of information creates an unsound profile 
because it takes information out of its original context and 
uses it in a different context. While certain information may 
be accurate in the context for whidi it was initially collected, 
it may be inaccurate when it is moved into a different con- 
text in a process of centralization. Wc may observe Bob as a 
careless free spirit at the racy nightclub which he frequents 
on the weekends. This certainly does not mean that he ex- 
hibits the same characteristics in his decisions as CEO of 
bis company or as a father to his children. For these reasons, 
we conclude that centralization violates privacy. By changing 
the context in which information was initially collected, it 
counteracts a key fimction of privacy; the ability to create 
and maintain different relationships,** 5.4 Informed Con- 
sent and Centralization of Information In section 4.3, wc 
suggested that obtaining informed consent is sufficient for 
an ethical collection of information. How does obtaining 
informed consent affect the centralization of information? 
As discussed in the previous section, we believe that the 
centralization of information is prima facie unethical. Un- 
like the collection of bformation, which can be ethical even 
without obtaining informed consent, there are no conditions 
under which centralization of information can be ethical 
without obtaining informed consent. In fact, in situations 
where personal information is centralized, it is often im- 
practical or impossible to even obtain the informed consent 
of the individuals. 



For example, Parker [25] describes the ethical conflict 
faced by a scientist who finds two different kinds of data on 
the same subjca pool The scientist believes dfvat there would 
be significant scientific value in merging and analyzing the 
data. Unfortunately, while informed consent had been ob- 
tained from the subject pool fot collecting their personal 
information for the earlier studies, the subjects have now 
dispersed, and it is impossible to obtain their informed con- 
sent for this centralization of information. By merging the 
data, the scientist would be un):thical. Parker suggests that 
the solution is to obtain the informed consent of a proxy, or 
representative of the subject pool, such as an independent 
committee. The proxy would weigh the benefits of the re- 
search against the violation of privacy to decide whether the 
merging should be allowed. 

Parkers solution of a proxy may be sufffcicnt for his sce- 
nario because the amount of centralization is small. We do 
not believe, however, that the solution of obtaining informed 
consent through a proxy can be extended to scenarios with 
large amounts of centralization. That is, when the scale of 
centralization is large enough to create a digital dossier, it is 
unlikely that an individual will consent to such a portrayal. 
Such profiles are dangerous because the superfluous infor- 
mation they provide affects how decisions are made. Pur* 
thermore, large scale centralization 6f information is a viola- 
tion of privacy because the data images it creatw; are used 
out of context, and counteraa the ability to create and main- 
tain different relationships. 

6 Reasonable Expectations of Privacy in Public 
Places 

From the foregoing discussion, it does not seem that we 
necessarily have a prima facie right to privacy outside of that 
based on Benns general principle of privacy. In fact, Ware 
[26] suggests that society will not and should not protect an 
individuals privacy at all costs. There is inevitable conflict 
becv\'een an individuals right to privacy and a com muni tys 
rights. Such conflict may be manifested in monetary terms, 
inefficiencies to systems, or denial of desirable social ser- 
vices. This awareness of community rights is particularly 
pertinent to the right to privacy in public places, a concept 
introduced by Nisscnbaum [27]. 

6.1 Privacy in Public Places 

For Nissenbaum, current theories of privacy (Section 2) do 
not adequately address the relevance of privacy in realms 
other than the intimate and personal. Previous works on 
privacy ([4], [5], [6], [7], [28]) ancmpt to define a distinct 
and mutually exclusive boundary between an intimate per- 
sonal realm where privacy is protected and a public realm 
where privacy has no relevance and ail information is avail- 
able to everyone. Nisscnbaum [27] points out chat while ^'dierc 
is a broad consensus on what information may be classified 
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pehonal ariy intimate, there is, on the othtr hand little, if 
anything, that people universally would admit into a com- 
pletely public realm if by that wc mean that it is governed by 
no norms of privacy whatever." Rather than viewing a con- 
text as purely private or purely public, we might view the 
context as having both private and public elements. 
Nissenbaum criticizes the notion that there is a relationship 
between a place and information which might be obtained 
in that place. That is, we should not assume that information 
is public simply because the place in which is vras obtained 
is public. For instance, "shoppers may not object to using 
open shopping carts but may sense violation if inquisitive 
neighbors noted and reported on their purchases" [27]. For 
Nissenbaum, a conception of privacy should expend consid- 
eration to all information, Including information which is 
obtained in public places. 

6.2 Reasonable Expectation of Privacy 
The protection of privacy in public realms cannot be as strong 
as in intimate realms. While wc should extend consideration 
of privacy to the public realm, we must also acknowledge rht 
limitations of privacy in the public realm. Moor's [9] con- 
cept of a naturally private situation captures the essence of 
the limitations of our right to privacy. A naturally private 
situation seems to be nothing more than the experience of 
isolation in a public place. Recall the sudden interruption of 
Bob's peaceful meditation in the Grand Canyon by the rude 
mule riding tourists. Although the intrusion is annoying and 
unfonunate, Bob has no right to privacy in this public place. 
The protection of privacy in such a public realm is limitedj 
and his loss of privacy cannot be a violation. 

How, then, do we determine what is reasonable in our 
expectation of privacy in public places? Bob may experience 
a loss of privacy when he purchases some books at the local 
bookstore because the bookstore may record Bob's purchas- 
ing preferences for im^entory purposes. Such a collection of 
personal information would reduce Bob*s secrecy and ano- 
nymity. The collection of this information seems reasonable 
because such public transactions are a necessary aspect of 
everyday life in society. Nevertheless, Bob may also reason- 
ably expect that the information obtained by the bookstore 
will not be shared with third parties because such sharing 
was nor the initial purpose for collecting the information. 
Our expectation of the protections of privacy should con- 
sider the needs of society's other entities such as industry, 
government, and community. A reasonable expectation is 
one which considers the practical harms which accompany a 
loss of privacy. That is, a claim of privacy seems reasonable 
only if there might be potential harm caused by the loss of 
privacy. For instance, Bobs claim of privacy would not be 
reasonable if Alice merely observed the nice red shirt he was 
wearing. A reasonable expectation of privacy should also 
consider the dynamic nature of the hierarchy of rights: de- 
pending upon the context of the situation, there may be other 



intrinsic principles and rights which may be more important 
than privacy. When Bob is in his house, his right co privacy 
may take precedence over Sallys right to observe him. If he 
is in a public square, however, Sally*s general liberty to ob- 
serve may take precedence over Bobs right to privacy. An- 
other example of the dynamic nature of rights is the revela- 
tion Bob's past history of drug addicrion in his criminal trial. 
In normal circumstances, such a revelation may be inappro- 
priate and a violarion of Bob's privacy. In a criminal trial, 
however, the principle of social justice takes precedence over 
the principle of individual privacy. Reasonable expectations 
of privacy in public places must change as our social envi- 
ronment changes. Having expectations of puvacy is particu- 
larly relevant when we consider the effects of the fest pace of 
information technology on our moral norms. For instance, 
until 1967i when the Supreme Count decided in Katz v. 
United States, that telephone conversations should be pri- 
vate, some considered these conversarions to be property of 
those who owned the telephone equipment. In response to 
the publication of Robert Bork's videorapc rental records in 
the newspaper, the Video Privacy Aa of 1988 reversed the 
status of video rental records from public to private [27]. 
More recently, the Violent Crime Control and Law Enforce- 
ment Act of 1994 limited access to drivers' records, which 
were previously regarded as public records T'no-holds barred" 
(27). Our use of information technology will conrinue to 
reveal new issues of privacy in public places, shifting our 
societal judgments and affccring our moral norms. Our ex- 
peaations of privacy will change with such developments. 

7 Privacy and the Internet 

We maintain that the Internet, in its current state, is a public 
place. Recall Nisscnbaums separauon of place from infor- 
madon [27]. That is, although we may be sitting in a private 
place (our own homes), when we access the Internet, we are 
engaging in transactions and exchanging information with 
other end tics (companies, government, educational institu- 
tions, etc.) which ate definitely not part of our indmate and 
personal realms. Although we may be in a physically private 
location, the transacdons that cake place on the Web stron^y 
parallel those transactions that occur every day in our public 
lives. If the Internet is a public place, what then should be 
our reasonable expectations of privacy? Currently, reason- 
able expectations of privacy on the Internet arc neither for- 
mally rooted nor well developed. Because Internet technol- 
ogy facilitates the manipuladon and collection of informa- 
tion, losses of privacy occur continually, and unfortunately, 
it is often difficult to determine what constitutes an ethical 
or unethical collection of data. For example, each time Bob 
views a page on the Web, that Web site collects several im- 
portant pieces of information about him: the name of his 
computer, the rime of the request, and the address of the 
previous Web page he was viewing. As previously discussed, 
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oiie way c<^ avoid the unethical collection of personal infor- 
mation Is to obtain informed consent. But obtaining informed 
consent every time Bob moves to a different Web site would 
be impractical. 

It is helpful to compare new Internet situations to more 
familiar situations, in w^hich our expectations of privacy are 
better developed. For instance, is making a purchase on the 
Web similar to purchasing a candy bar from a vending ma- 
chine? Or is it more similar to purchasing a candy bar from 
the local supermarket? In order to purchase something on 
the Web> we must release personal information such as our 
name, address, and perhaps credit card information. The 
analogy of the supermarket, then, seems more appropriate 
than the vending machine. Be- cause we release personal 
information to a supermarket when we apply for discount 
cards, we would reasonably expect the supermarket to track 
our purchases for the purposes of maintaining customer sat- 
isfaction and proper inventory. Likewise, we might reason- 
ably expect similar forms of information collection from a 
Web site. 

Such analogies can take us only so far. What should the 
reasonable expectations of privacy be when wc visit virtual 
galleries or adult sites on the Web? Arc and should we be 
afforded complete anonymity when engaging in online chat 
groups? It may take time before our moral norms develop in 
this new Internet context. As we discover new situations in 
which privacy may be violated on the Internet, wc will con- 
tinue CO adjust and reformulate our moral norms. 

8 Internet Cookies 

Internet a)okies provide a test for our claims about the col- 
lection and centralization of information. Since early 1996, 
when an article in the San Jose Mercury brought cookies to 
public awareness, there has been much concern over cook- 
ies' effect on out privacy [29]* Noncthelcss» popular senti- 
ment, like the following statement expressed on a public 
me$.sage board on the Internet, demonstrates a failure to 
distinguish the tool from its use (see section 4,1): I hate 
cookies. . . They [those who use cookies] may think it s 
harmless but they are taking something without permission 
and without payment [30], Although reasonable expectations 
of privacy on the Internet arc not yet well developed, in this 
section, we offer an interpretation of a reasonable expecta- 
tion of privacy with regard to the use of Internet cookies. 
Once the public has developed a reasonable expectation of 
privacy for cookies, wc can determine what uses of Internet 
cookies require informed consent. Wc will show that some 
uses of cookies are morally permissible while other uses arc 
immoral. Ba^ed on our analysis of the collection and central- 
ization of information and our discussions of public places 
and reasonable expectations, we will identify the conceptual 
muddles which cookies present and explain how cookies can 
be used in both morally permissible and unethical ways. 



8.1 What arc Internet Cookies? 

When we visit a Web site, that Web site may give our Web 
browser a block of text, which is usually a name, value pair. 
On each subsequent visit to that Web sitc» our browser sends 
that specific block of text back to the Web site. Upon receiv- 
ing that text» the Web site can act in a variety of ways. For 
instance, it recognizes our browser as a repeat visitor, and 
may provide us with customized service. It can also change 
the value of the block of text depending on our behavior at 
that Web site. Our Web browser remembers this block of 
text, commonly known as a cookie, by storing it on our hard 
drive. Not all cookies store information on our hard drives. 
Transient cookies are stored in the memory of the computer 
only for the duration of the current web browsing session. 
For example, Bluestcm, the WWW Identification Service at 
the University of Illinois at Urbana-Charapaign uses these 
transient cookies to store authentication information once 
users have logged onto the secure system. Mallard, a Web 
based interactive learning environment developed at the 
University of Illinois also uses cookies in Its authentication 
system." 

In both cases, the cookies are removed when the user 
logs out of the system or quits the Web browser. Because 
these transient cookies seem to pose no apparent ethical 
problems, the remainder of this paper will focus on the per- 
sistent cookies, which are stored on a users hard drive. 

8.2 Argument Against Cookies 

Mayer-Schocnberger [31] presents four major reasons why 
cookies are an invasion of our privacy. In this section we 
show that the conceptual muddles created by cookies weaken 
his argument against them. 

Cookies are stored on the users computer without his 
consent or knowledge. The typical computer user also has 
no knowledge that cache files, temporary fdes, and log fdes 
ate being stored on his computer. In fact, most of these files 
fill much more space on the hard disk than the small block 
of text of a cookie. This objection, then, cannot be about 
cookies, but about the use of computers and technology in 
general We might think of a computer as an incomprehen- 
sible system. That is, just as we do not necessary know how 
our automobile transmission operates, \^'e cannot know about 
everything which occurs in our computers. In the automo- 
bile, we dont need the drivers consent to shift gears. Simi- 
larly, we probably do not need consent for a program to 
store a small Je on our hard disk. In fact, it would be coun- 
terproductive to our use of computers if we were informed 
every time an application wanted to change the internal state 
of our computer. The advantages of Web technology seem to 
far outweigh the tiny harm of a small block of text set on our 
hard drive. The cookie is clandestinely and automatically 
transferred from the users machine to the Web server. The 
typical computer user is unaware of much information which 
is automatically transferred from his computer into the net- 
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\varkcdi;wodd. Each time we visic a Web site, for instance, 
our computer transmits much information to the Web server 
including our IP address, che current time, and the previous 
Web page wc were visiting. 'If our computer is linked to che 
networked world, it is, without our knowledge, continuously 
transferring information about its location and existence to 
other computers. E-mail is not sent directly to the intended 
receiver, but is automatically transferred through numerous 
machines of which we have no knowledge. Such automatic 
tcansferral of information is essential to our use of current 
technology. Because cookies allow the Web server to set an 
expiration date, they violate the "accuracy** and "timeliness" 
principles in che European Union Directive on che Protec- 
tion of Personal Data. This argument seems to mistake the 
tool for its use. In fact, the expiration date option allows the 
realization of the accuracy and timeliness principles. Of 
course it is possible for someone to abuse this option thereby 
violating che principles in the Directive. The cookie, itself, 
docs not violate the principles.*' 

Once the cookie is set, it is freely accessible to Web 
servers. This argument is technically inaccurate. Only the 
Web server which set the cookie can access chat cookie. 
Additionally, no other Web server would understand or have 
use for the cookie except the Web server chat set it. 

8.3 Morally Permissible Uses of Cookies: Collection of 
Information 

It is important to keep in mind that cookies arc merely a 
tool which is used to collect personal information. As we 
have discussed previously, the collection of personal infor- 
mation does not necessarily result in a violation of privacy. 
Imagine that Bob visits his local grocery store. When Bob 
enters the store, Carol, the store- keeper, immediately rec- 
ognizes him as a valued repeat customer. She greets Bob 
with a form handshake and shows him che new shipment of 
ripe apples, Bob*s favorite fruit, which just arrived. Bob fills 
his shopping cart with the best fruits and vegetables he can 
find. He purchases his goods, and takes ofif down the street, 
munching on a delicious newly purchased apple. The fact 
that Carol recognized Bob and remembered what he liked 
would be considered "doing good business" on the part of 
Carol. Each time Bob has visited her store, Carol has no- 
ticed what types of fruits and vegetables Bob likes to buy. 
Bob returns to CaroFs grocery store because he appreciates 
the customised service he receives there. When cookies arc 
used for site personalization and online ordering systems, 
chey are an effort to "do good business" on the Web. There 
are benefits for both the Web site and the Web customer If 
Bob likes the ease of service and the personal attention he 
receives at a Web site, he may return there often. In these 
situations, the collection of information performed by cook- 
ies does nothing more than mimic the memory of Carol. As 
a repeat customer to Carols grocery store, Bob has implic- 
itly consented to having Carol remember his preferences. 



That is to say, Bob's reasonable expectation of privacy in this 
scenario is that Carol may recognize him after multiple vis- 
its. Likewise, since a large component of the Internet paral* 
Icls similar purchasing scenarios, it is also within a reason- 
able expectation of privacy for a Web site to recognize Bob 
as a repeat visitor. In both cases, the information collected 
by Carol or the cookie does not result in a violation of pri- 
vacy because of Bob's reasonable expectations as a repeat 
customer. Notice that outside the grocery store, Carol knows 
nothing about Bob. She may not even know Bobs name. 
Similarly, cookies are useful to a Web site only when we visit 
that Web site. The Web site may recognize Bob only as some- 
one who has visited before. It does not know his e-mail 
address, phone number, or home address unless he has ex- 
plicitly given che Web sice such informacton. Garfinkel [331 
describes how cookies may, in fiicc, be used to protea pri- 
vacy. Used properly, cookies can eliminate the need for cen- 
tral data banks. Generally, a cookie is a unique number which 
is used to reference a databank of information stored at the 
Web sice. For instance, Bob may have a cookie which has 
the value 007 stored on his computer. When Bob visits the 
Web site, his Web browser sends the number 007 to the site. 
With that number, the Web site can look up information in 
its databank ajid find out chat visitor 007 has visited ten 
times before and likes to read the articles about che apple 
industry which are available on the site. However, as Garfinkel 
describes, rather than using the cookie as a unique identi- 
fier, che actual preferences might be stored in the cookie 
itself, eliminacing the need for a central databank. For in- 
stance, instead of a cookie which has che value 007, the 
cookie might now consist of: 
visits = 10; articles = apple 

Therefore, when Bob leaves, he takes his cookie filled 
with personal preferences with him, leaving the Web site 
unable to remember anything about him undl he returns.'^ 

8.4 Immoral Uses of Cookies: Centralization of Information 
Not all uses of cookies arc ethical. The use of cookies by che 
target markering industry to track our behavior on the Internet 
is an attempt to centralize personal information. In Section 
5, we criticized the centraKzacion of information for taking 
information out of its intended context and putting it in a 
new, foreign context. Target marketers* use of cookies is a 
special case of centralization of information. Their initial 
purpose in the collection of information is the centralization 
of information. Target marketers have developed a technique 
CO track us all over the liuernet by adding cookies co che 
advertisement banners on so Web pages. Such uses of cook- 
ies do not seem to fit within a reasonable expectation of 
privacy on the Web. Consider the following scenario: Bob 
visits the Web site www.dailynews.com co read about the 
happenif^s of the day. On that page, he notices an advertise- 
ment banner for Jazzy Widgets. The advertisement banner 
was placed on the www.dailynews.com Web page by a target 
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marketing compan)^ named Banners-R-Us. Unknown to Bob, 
as he is reading the daily news, a cookie has just been set on 
his computer by www.bannersrus.com (not 
www.dailynews.com!). After he finishes reading the news, 
the www.dailynews.com site asks him to register for addi- 
tional access to the site. Bob happily divulges his name> e- 
mail, phonc» and address because he has enjoyed the Daily 
News site. However, he does not consent to sending that 
registration information to Banners-R- Us. Bob completes 
his visit at www.dailynews.com and decides to visit his fa- 
vorite online compact disc shopping site, 
www.columbiahut.com, to purchase some new CDs. At 
www.columbiahut.com, he notices an advertisement banner 
for Classical Widgets. Again, the Classical Widgets banner 
was placed at the Columbia Hut Web site by Banners-R-Us. 
Again, through the advertisement banner for Classical Wid- 
gets and unknown to Bob, the Banners-R-Us cookie previ- 
ously set at www.dailynews.com is sent to 
www.bannersrus.com. Banners-R-Us now knows that Bob 
enjoys reading the news at the Daily News site and purchas- 
ing CDs at the Columbia Hut site. If it received any of the 
registration information Bob gave to the Daily News site, it 
may even be able to connect his name and e-mail address 
with his Web browsing behavior [34], Banners-R-Us will 
continue to track Bob and gather information about his 
browsing behavior wherever he bumps into advertisement 
banners placed by Banners- R-Us on the Web. 

The use of cookies to track users as they move from site 
to site is an unethical invasion of privacy. Such use violates 
our privacy because it creates an undesirable loss of ano- 
nymity and secrecy. No consent has been obtained by target 
marketers before they collect information about us. Recall 
from Section 4.3 that the lack of consent docs not necessary 
render an act unethical. In this cookie case, however, con- 
sent seems necessary to legitimize the collection of data. The 
reason is that such a setting of cookies does not fell within 
the realm of our current reasonable expectation of privacy 
for the Web, The cookies set by target marketers differ sig- 
nificantly from those set at a Web site we are actually visit- 
ing. When wc visit a Web site, it is reasonable to expect that 
site to collect information about us (recall the example with 
Carol the storekeeper). When Bob frequents a Web site, he 
is actively establishing a relationship that site. With target 
marketers, howevetj Bob has no intention nor inclination to 
establish a relationship with them. For them to obtain infor- 
mation about him without his consent, then, is beyond a 
reasonable expectation of privacy. 

In Section 8.3, we mentioned that a Web site cannot 
obtain a users e-mail address, phone number, or home ad- 
dress by setting cookies. According to Cranor [32], how- 
ever, "multiple Web sites sometimes share access to cookies. 
A user who reveals personal information to one Web site 
may unwittingly reveal that information to other sites." Spe- 
cifically, if Web sites have agreements to share information 



with target marketers which have advertisement banners on 
those sites, information which users may reveal to that par- 
ticular Web site through registration forms may ultimately 
be linked to their Web browsing behavior, obtained by tar- 
get marketers through their use of cookies to centralize in- 
formation. This is one technique which might be used to 
generate lists for unsolicited bulk e-mail, 

8.5 Cookies and Consent 

In section 8.4, we argued that the setting of cookies by 
target marketers is immoral because such a collection of 
information is not within a reasonable expectation. Wc have 
argued that consent is necessary when a collection of per- 
sonal information docs not comport with a reasonable ex- 
pectation of privacy. 

During the early stages of this paper, the current version 
of the Netscape Web browser, Netscape Navigator 3.01, 
had the option to set a "cookie alert" which would warn the 
user when a site wanted to set a cookie. The alert notifica- 
tion would give the user the option of either accepting or 
rejecting that cookie. The default setting of Netscape, how- 
ever, was to accept all cookies unconditionally. Furthermore, 
there did not exist an option to completely reject all cookies. 

Currently, the new Netscape Communicator 4.04 has 
extended its cookie options. Not only can users set the 
'cookie alert" option, they also have options to accept ail 
cookies, only cookies that arc returned to the originating 
server, or completely disable cookies, Notice that the option 
to accept only cookies that are returned to the originating 
server distinguishes our morally permissible and immoral 
cookies. The default setting, however, remains the uncondi- 
tional acceptance of all cookies.'^ In addition, these cookie 
warnings appear only when a Web site desires to set a cookie 
on a user's hard drive. Technically, no loss of privacy has 
occurred at this point. Loss of privacy occurs later, when the 
cookie is collected and transmitted back to the Web site on 
subsequent visits. Users must also be informed when such 
transmission of cookies occur. Mayer-Schocnberger [311 
raises the point that the cookie wTjrnings provided by popu- 
lar Web browsers are cryptic and hard to understand for the 
typical user. Indeed, these cookie warnings may not provide 
enough information to be considered informed consent. 
However, because the default behavior of popular Web brows- 
ers is the unconditional acceptance of cookies without noti- 
fication, only users who are already "cookie savvy'* enable 
the alert option and receive no- tification. Most users do not 
even know what a cookie is. Additionally, with the abundant 
use of cookies on the Internet, cookie warnings soon be- 
come a hindrance rather than a help. As Cranor [32] ob- 
serves, "when such disruptions occur frequently, individuals 
are unlikely to pay close attention to them." 

Cookie preferences should be configured similarly to the 
security options found on popular Web browsers like 
Netscape and Internet Explorer. By default, these security 
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optiqns.^nli^e cookie options, are enabled. For instance, 
we arc always warned whenever we may be sending 
unencrypted information to a Web site. To disable this warn- 
ing, we simply click an option which appears in the warnhig 
window itself. In contrast, in order to configure cookie pref- 
erences, the user must first know about cookies and then 
have the patience to find the options in the various browser 
menus. By default, Web browsers should inform the user 
about the setting and transmission of cookies. Additionally, 
the warning windows should then contain the various op- 
tions to enable, distinguish, and disable all cookies. These 
options would allow users to configure their cookie prefer- 
ences "on the y," for example, if the cookies warnings be- 
come too annoying. 

Another possible solution is to include privacy policy 
choices (cookie options) in the setup phase of software in- 
stallation. When installed on a computer, typical software 
packages must go through a one-time setup phase. During 
the setup phase, the user is asked to give information which 
is needed by the software program. Therefore, the setup phase 
is an ideal place to obtain informed consent from a user. 
Recall in Section 3.2 that the disclosure of all pertinent in- 
formation (whether or not the user is interested) is necessary 
for informed consent. While typical users may not be inter- 
ested in privacy policies, they must all endure this setup 
phase in order to use the software. Placing privacy options 
in this setup phase then forces the user to become informed 
about the potential privacy losses and violations related to 
the software. With the recommendations of the previous 
paragraph, this mechanism would inform users about cook- 
ies and give them the ability to change their personal prefer- 
ences concerning cookies "on the y." Cookies are so preva- 
lent on the Internet that completely disabling them would 
likely limit the capabilities of the Web browser. We reem- 
phasize that is unnecessary to disable all cookies since typi- 
cal uses lie within reasonable expectations of privacy. What 
is important in developing cookie configuration policies, 
then, is distinguishing morally permissible cookies from 
immoral cookies, 

9 Summary and Conclusions 

The Internet provides a new context in which to explore our 
ideas about privacy. The scale and ease of personal informa- 
tion collection and centralization have caused general con- 
cern and confusion regarding our rights to privacy in such 
an environment- We have offered a framework foe evaluat- 
ing the ethics of the manipulation of information on the 
World Wide Web. We believe that there arc both ethical and 
unethical ways to collect personal informadon. 

Specifically, collection of information is unethical when 
such collection lies beyond our reasonable expectation of 
privacy for the situation. Obtaining informed consent be- 
fore collecting personal information, however, is a sufficient 



means for preventing violations of privacy. While collection 
of personal information can be ethical, we believe that cen- 
tralization of personal information is inherendy unethical 
because it undermines the basic function of privacy to cre- 
ate and maintain personal relationships. 

Finally, we described the Internet as a public place and 
offered an interpretation of a reasonable expectation of pri- 
vacy for certain situations on the Web, Specifically, we ex- 
plored the the issue of Internet cookies and concluded that 
the use of cookies for online shopping and for customer 
preferences is morally permissible. In contrast, the use of 
cookies by target marketers to monitor consumer habits is 
unethical not only because such collection lies beyond a rea- 
sonable expectation of privacy bur also because the collected 
information is unethically centralized. ♦ 
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Metes: 

1 , Moor aswru chat nornwtive privacy is culturally clcttrmined: situatiotu whid\ ought 

to be pjivatc should be open to rational and mora] argument. 

2. Good reason, in this scjuc, must be a reason grounded on mora! principle such as 

freedom of others, justice, rcspca for pcrionsr or avoidance of needless pain. 
5. Waid had taken her landlord to court because he had failed to deal widi the 
cockroaches and rodents which infested her apartment. 

4. In his article "Private Life in Cyberspace", Bartow 119) reflects on the Lotus 

Marketplace; Households dedsion. He contrasts today's misuse of information 
and tedvnology to the ccstnuni exhibited in small towns, whew everyone knows 
information about evciyonc else, bur cares enough to use the information in a 
respectful manner. 

5. Wc are not saying that the too! itself has no effect on people's behavior. Johnson [16] 

argues that because computers faciliute the collection of information, people 
engage in aaiviiics which would have not otherwise been possible. Computers, 
as tool$» therefore are an important factor in how people make decisions. 

6. An activity is immune if it is not appropriate for unauthorized persons to watcii it- 

7. As Maitin and Schinziogcr U51 have observed, most people tend to accept risks 

which are voluntarily undertaken. 

8. The Privacy Act of l?74 forbade the executive branch of the government from 

thaiing information among dittina government program areas. Use ofinformarion 
vras limited to ^routine use," or a "purpose which is compatible widi the purpose 
for which it was cojlccted." Unfortunately, interpretations of **routinc use" were 
so loose, diey left die Privacy Acrincffotlve. In addition, the Office of Management 
and Budget, the agency designated to enforce the Privacy Act, essentially refused 
CO uphold the principle* of the Act. Both Uudon [20] and Shattudt [21] provide 
informative sections about the Privacy Act of 1974. 

9. Under Gavi$on$ definition of privacy, there may indeed be a loss of privacy. That is 

tosa)^ because we arc the subject of Bob's attention, a degree of our anonym icy is 
lost [8]. However, according to Moor, thb would be a loss of natural prWacy 
which is not necessarily a violation of privaqf [9] 

10. It might be argued that although the ccmralttcd information exists, this does not 

mean that everyone m\\ choose to use it. However, as discussed in 5,2, centralization 
reduces die cost of obtaining information and makes it more likely that someone 
will choose to access ic. In this sense, it is very mucfi a factor in determining how 
people aa. This argument is similar to the argument Johnson [16] uses to show 
that tools such as compurcrs arc a fiaccor in determining what people do. 

11. For more information on Mallard, consult http://www.cen.uiucedu/MalUrd. 

12. The European Union Ditecth^ on the Protection of Personal Data includes five 

conditions: (I) personal data must be "processed fairly and lawfiiUy" and only 
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•"oolleved f(fr a specific, explicit, and legitimate purpose*; (2) no further processing 
which U incompatible with the original Icgiiimare purpose is permitred; (3) 
processing must be 'adequate, rcle^mt, and not excessive in rdauon to the 
purpose** ai wcil as ^accunte, and when necettaj)^ kept up to date'*; (4) dau may 
be stored for "no longer than necessary for the purposes for which the data was 
coiicctcd^; (5) processing may take place only if the person to whom ilie personal 
information refers "has unambiguously given his conjcnt.'* 

13. The contents of the cookies in the above examples arc quire simplified. For a 
detailed dcsaiption of what cookies actually look (iVc, conjuU the book by 
Garfinkcl and Spafford [33). 

14. While hitctnct Eirplorer 4,0 has options to warn, ahmiyx aooepr, or disable cookies, 

it does not distinguish morally permissible cookies from immoral cuokics. ^ 
Netscape C/ommunicacor 4.04 docs. 
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